v13, i13: Listing 4 Postfix main.cf -- Anti-UCE directives

Article	Listing 1	Listing 2	Listing 3	Listing 4
Listing 5	Listing 6	Table 1	Table 2	aug2004.tar
Listing 4 Postfix main.cf -- Anti-UCE directives

# Privacy Option: Disable VRFY SMTP command
disable_vrfy_command = yes
# Enforce RFC 821 compliant addressing
strict_rfc821_envelopes = yes
###
# UCE HELO/EHLO Restrictions
###
# Require SMTP clients to issue HELO/EHLO 
smtpd_helo_required = yes
# Implicityly allow trusted hosts,
# Warn if remote SMTP clients fail to:
# - provide valid hostname in HELO/EHLO
# - provide an unknown hostname in HELO/EHLO
# - provide a non FQDN hostname in HELO/EHLO
smtpd_helo_restrictions = permit_mynetworks,
                          warn_if_reject,
                          reject_invalid_hostname,
                          warn_if_reject,
                          reject_unknown_hostname,
                          warn_if_reject,
                          reject_non_fqdn_hostname
# Regex based SMTP header checks to perform
header_checks = regexp:/usr/local/etc/postfix/header_checks
# Regex based SMTP MIME-header checks to perform
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks

###
# SMTP Client access rules
###
# Permit if:
# - client on trusted host/network
# - client presents verifiable TLS certificate
# - client correctly authenticates as a valid user
# Check per-user/per-host database and accept/discard/reject
#   per rules in database
# Reject if:
# - "From " unknown sender domain
# - "From " non-FQDN address
# - host appears in named RHSBL
# - host appears in named RBL
# Warn if host appears in particularly aggressive RBL
smtpd_client_restrictions = permit_mynetworks,
                            permit_tls_clientcerts,
                            permit_sasl_authenticated,
                            check_client_access dbm:/usr/local/etc/postfix/black
list_senders
                            reject_unknown_sender_domain,
                            reject_non_fqdn_sender,
                            reject_rhsbl_client dsn.rfc-ignorant.org,
                            reject_rbl_client relays.ordb.org,
                            reject_rbl_client multihop.dsbl.org,
                            reject_rbl_client dynablock.njabl.org,
                            warn_if_reject,
                            reject_rbl_client blackholes.five-ten-sg.com

# Default error string to pass to RBL-blocked senders
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
 blocked using $rbl_domain${rbl_reason?; $rbl_reason}

###
# SMTP Destination Rules
###
# Permit delivery if:
# - recipient is on trusted host/network
# - verifiable client cert is presented
# - source is authenticated
# Reject delivery if:
# - "To:" unknown recipient domain
# - "To:" a non-FQDN recipient
# - recipient is in blacklist database
# - destination is unauthorized
smtpd_recipient_restrictions = permit_mynetworks,
                               permit_tls_clientcerts,
                               permit_sasl_authenticated,

                               reject_unknown_recipient_domain,
                               reject_non_fqdn_recipient,
                               check_recipient_access 
         dbm:/usr/local/etc/postfix/blacklist_recipients,
                               reject_unauth_destination

# Define a content filter, what IP and port it listens on 
content_filter = smtp-amavis:[127.0.0.1]:10024