- (default:
empty)
-
Optional restrictions that the Postfix SMTP server applies in the context of
the MAIL FROM command.
The default is to permit everything.
Specify a list of restrictions, separated by commas and/or whitespace.
Continue long lines by starting the next line with whitespace. Restrictions are
applied in the order as specified; the first restriction that matches wins.
The following restrictions are specific to the sender address received with
the MAIL FROM command.
-
- Search the specified database for the
MAIL FROM address, domain, parent domains, or localpart@, and execute the
corresponding action.
-
- Search the specified database for the
MX hosts for the MAIL FROM address, and execute the corresponding action. Note:
a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
to exclude specific hosts from blacklists. This feature is available in Postfix
2.1 and later.
-
- Search the specified database for the
DNS servers for the MAIL FROM address, and execute the corresponding action.
Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in
order to exclude specific hosts from blacklists. This feature is available in
Postfix 2.1 and later.
-
- Enforces the
restriction for authenticated clients only. This feature is available in Postfix
version 2.1 and later.
-
- Reject the request when the MAIL FROM address is not in fully-qualified
domain form, as required by the RFC.
The parameter
specifies the response code to rejected requests (default: 504).
-
- Reject the request when the MAIL FROM domain is listed with the A record
"d.d.d.d" under rbl_domain (Postfix version 2.1 and later only).
If no "=d.d.d.d" is specified, reject the request when the MAIL FROM
domain is listed with any A record under rbl_domain.
The parameter
specifies the response code for rejected requests (default: 554); the parameter
specifies the default server reply; and the parameter specifies
tables with server replies indexed by rbl_domain. This feature is
available in Postfix 2.0 and later.
-
- Reject the request when $
specifies an owner for the MAIL FROM address, but the client is not (SASL)
logged in as that MAIL FROM address owner; or when the client is (SASL) logged
in, but the client login name doesn't own the MAIL FROM address according to $.
-
- Enforces the
restriction for unauthenticated clients only. This feature is available in
Postfix version 2.1 and later.
-
- Reject the request when Postfix is not final destination for the sender
address, and the MAIL FROM address has no DNS A or MX record, or when it has a
malformed MX record such as a record with a zero-length MX hostname (Postfix
version 2.3 and later).
The
parameter specifies the response code for rejected requests (default: 450). The
response is always 450 in case of a temporary DNS error.
-
- Reject the request when the MAIL FROM address is not listed in the list of
valid recipients for its domain class. See the
parameter description for details. This feature is available in Postfix 2.1 and
later.
-
- Reject the request when mail to the MAIL FROM address is known to bounce, or
when the sender address destination is not reachable. Address verification
information is managed by the server; see
the
file for details.
The
parameter specifies the response when an address is known to bounce (default:
450, change into 550 when you are confident that it is safe to do so). The
specifies the response when an address address probe failed due to a temporary
problem (default: 450). This feature is available in Postfix 2.1 and later.
Other restrictions that are valid in this context:
- restrictions that can be used in any SMTP
command context, described under .
- SMTP command specific restrictions described under
and .
- SMTP command specific restrictions described under .
When recipient restrictions are listed under ,
they have effect only with " = yes", so that
$
is evaluated at the time of the RCPT TO command.
Examples:
=
= ,
hash:/etc/postfix/access
- 丟棄找不到 DNS 裡 MX / A 記錄的 hostname
這個機制是查尋寄件者的主機位址,再使用這個位置去做 DNS 查尋,一般在 SPAM
新手會隨意造一個主機名稱以企圖矇騙過關,對於這種手法實只要使用一個設定既可。
要使用這種機制,在 main.cf 加上一筆:
| smtpd_sender_restrictions =
reject_unknown_sender_domain |
隨著科技的進步,可能到處撒垃圾的 SPAM 發送者已知道我們可以從 DNS 去做查尋工作,因為就隨意去申請一個 domain name,如此就可以通過
reject_unknown_sender_domain 的檢查了。
接下來,既然使用 DNS 的正向查尋 OK,那麼我們就來檢查一下反解的動作,一般良好的 DNS 管理者,應該要把 DNS
正、反解都設定好,做個遵守規範管理員,然而 SPAM 發送者確經常不設定好,以致於在反查的時候會找不到連線主機的 IP
反解。我們可以利用這一點來過瀘這種手法。
這種過濾方法不是參考寄件者的主機名稱,而是利用 Client 連過來時的 IP 位置。
在 main.cf 加上一筆:
| smtpd_sender_restrictions =
reject_unknown_client |
當然,這種方式非常的有效,但也“超乎你所想像”的有效,為什麼這麼說呢?一些合法的信件、也許不是垃圾信,會因為查不到 DNS 的 PTR
記錄而被擋到外面。像這種“例外的案子”就必需把他們加入到 mynetworks 這個項目裡以便收到他的“例外信件”。
因此,您的 mynetworks 必需加一個段落,以 11.22.33.44
來說,我們就必需使用如下方法:
| mynetworks = 11.22.33.44, 192.168.3.0/24,
127.0.0.0/8 |
再把他加到 smtpd_sender_restrictions 裡,配合 reject_unknown_client 一起使用。
smtpd_sender_restrictions =
permit_mynetworks
reject_unknown_client |
因為 permit 的項目如果驗證通過,就會離開整個 smtpd_sender_restrictions 的規則,所以當使用者從 11.22.33.44
連上來的時候,就會被視為合合的來源,而不會被 reject_unknown_client 所過濾。
阅读(1918) | 评论(0) | 转发(0) |
