1 <!doctype html public
"-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
8 <title>Postfix SMTP relay and access control
</title>
10 <meta http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
16 <h1><img src=
"postfix-logo.jpg" width=
"203" height=
"98" ALT=
"">Postfix
17 SMTP relay and access control
</h1>
21 <h2> Introduction
</h2>
23 <p> The Postfix SMTP server receives mail from the network and is
24 exposed to the big bad world of junk email and viruses. This document
25 introduces the built-in and external methods that control what SMTP
26 mail Postfix will accept, what mistakes to avoid, and how to test
27 your configuration.
</p>
29 <p> Topics covered in this document:
</p>
33 <li> <a href=
"#relay"> Relay control, junk mail control, and per-user
36 <li> <a href=
"#global"> Restrictions that apply to all SMTP mail
39 <li> <a href=
"#lists"> Getting selective with SMTP access restriction
42 <li> <a href=
"#timing"> Delayed evaluation of SMTP access restriction lists
</a>
44 <li> <a href=
"#danger"> Dangerous use of smtpd_recipient_restrictions
47 <li> <a href=
"#testing"> SMTP access rule testing
</a>
51 <h2> <a name=
"relay"> Relay control, junk mail control, and per-user
54 <p> In a distant past, the Internet was a friendly environment.
55 Mail servers happily forwarded mail on behalf of anyone towards
56 any destination. On today's Internet, spammers abuse servers that
57 forward mail from arbitrary systems, and abused systems end up on
58 anti-spammer blacklists. See, for example, the information on
59 http://www.mail-abuse.org/ and other websites.
</p>
61 <p> By default, Postfix has a moderately restrictive approach to
62 mail relaying. Postfix forwards mail only from clients in trusted
63 networks, or to domains that are configured as authorized relay
64 destinations. For a description of the default policy, see the
65 smtpd_recipient_restrictions parameter in the postconf(
5) manual
66 page, and the information that is referenced from there.
</p>
68 <p> Most of the Postfix SMTP server access controls are targeted
69 at stopping junk email.
</p>
73 <li> <p> Protocol oriented: some SMTP server access controls block
74 mail by being very strict with respect to the SMTP protocol; these
75 catch poorly implemented and/or poorly configured junk email
76 software, as well as email worms that come with their own non-standard
77 SMTP client implementations. Protocol-oriented access controls
78 become less useful over time as spammers and worm writers learn to
79 read RFC documents.
</p>
81 <li> <p> Blacklist oriented: some SMTP server access controls
82 query blacklists with known to be bad sites such as open mail
83 relays, open web proxies, and home computers that have been
84 compromised and that are under remote control by criminals. The
85 effectiveness of these blacklists depends on how complete and how
86 up to date they are.
</p>
88 <li> <p> Threshold oriented: some SMTP server access controls attempt
89 to raise the bar by either making the client do more work (greylisting)
90 or by asking for a second opinion (SPF and sender/recipient address
91 verification). The greylisting and SPF policies are implemented
92 externally, and are the subject of the SMTPD_POLICY_README document.
93 Sender/recipient address verification is the subject of the
94 ADDRESS_VERIFICATION_README document.
</p>
98 <p> Unfortunately, all junk mail controls have the possibility of
99 falsely rejecting legitimate mail. This can be a problem for sites
100 with many different types of users. For some users it is unacceptable
101 when any junk email slips through, while for other users the world
102 comes to an end when a single legitimate email message is blocked.
103 Because there is no single policy that is
"right" for all users,
104 Postfix supports different SMTP access restrictions for different
105 users. This is described in the RESTRICTION_CLASS_README document.
108 <h2> <a name=
"global"> Restrictions that apply to all SMTP mail
</a> </h2>
110 <p> Besides the restrictions that can be made configurable per
111 client or per user as described in the next section, Postfix
112 implements a few restrictions that apply to all SMTP mail.
</p>
116 <li> <p> The built-in header_checks and body_checks content
117 restrictions, as described in the BUILTIN_FILTER_README document.
118 This happens while Postfix receives mail, before it is stored in
119 the incoming queue.
</p>
121 <li> <p> The external before-queue content restrictions, as described
122 in the SMTPD_PROXY_README document. This happens while Postfix
123 receives mail, before it is stored in the incoming queue.
</p>
125 <li> <p> Requiring that the client sends the HELO or EHLO command
126 before sending the MAIL FROM or ETRN command. This may cause problems
127 with home-grown applications that send mail. For this reason, the
128 requirement is disabled by default (
"smtpd_helo_required = no").
131 <li> <p> Disallowing illegal syntax in MAIL FROM or RCPT TO commands.
132 This may cause problems with home-grown applications that send
133 mail, and with ancient PC mail clients. For this reason, the
134 requirement is disabled by default (
"strict_rfc821_envelopes =
139 <li> <p> Disallowing RFC
822 address syntax (example:
"MAIL FROM: the
140 dude <dude@example.com>").
</p>
142 <li> <p> Disallowing addresses that are not enclosed with
<>
143 (example:
"MAIL FROM: dude@example.com").
</p>
147 <li> <p> Rejecting mail from a non-existent sender address. This form
148 of egress filtering helps to slow down worms and other malware, but
149 may cause problems with home-grown software that sends out mail
150 software with an unreplyable address. For this reason the requirement
151 is disabled by default (
"smtpd_reject_unlisted_sender = no").
</p>
153 <li> <p> Rejecting mail for a non-existent recipient address. This
154 form of ingress filtering helps to keep the mail queue free of
155 undeliverable MAILER-DAEMON messages. This requirement is enabled
156 by default (
"smtpd_reject_unlisted_recipient = yes").
</p>
160 <h2> <a name=
"lists"> Getting selective with SMTP access restriction
163 <p> Postfix allows you to specify lists of access restrictions for
164 each stage of the SMTP conversation. Individual restrictions are
165 described in the postconf(
5) manual page.
</p>
167 <p> Examples of simple restriction lists are:
</p>
170 /etc/postfix/main.cf:
171 # Allow connections from trusted networks only.
172 smtpd_client_restrictions = permit_mynetworks, reject
174 # Don't talk to mail systems that don't know their own hostname.
175 # With Postfix
< 2.3, specify reject_unknown_hostname.
176 smtpd_helo_restrictions = reject_unknown_helo_hostname
178 # Don't accept mail from domains that don't exist.
179 smtpd_sender_restrictions = reject_unknown_sender_domain
181 # Whitelisting: local clients may specify any destination domain.
182 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
184 # Block clients that speak too early.
185 smtpd_data_restrictions = reject_unauth_pipelining
187 # Enforce mail volume quota via policy service callouts.
188 smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
191 <p> Each restriction list is evaluated from left to right until
192 some restriction produces a result of PERMIT, REJECT or DEFER (try
193 again later). The end of the list is equivalent to a PERMIT result.
194 By placing a PERMIT restriction before a REJECT restriction you
195 can make exceptions for specific clients or users. This is called
196 whitelisting; the fourth example above allows mail from local
197 networks but otherwise rejects mail to arbitrary destinations.
</p>
199 <p> The table below summarizes the purpose of each SMTP access
200 restriction list. All lists use the exact same syntax; they differ
201 only in the time of evaluation and in the effect of a REJECT or
208 <tr> <th> Restriction list name
</th> <th> Status
</th> <th> Effect
209 of REJECT or DEFER result
</th> </tr>
211 <tr> <td> smtpd_client_restrictions
</td> <td> Optional
</td> <td>
212 Reject all client commands
</td> </tr>
214 <tr> <td> smtpd_helo_restrictions
</td> <td> Optional
</td> <td>
215 Reject HELO/EHLO information
</td> </tr>
217 <tr> <td> smtpd_sender_restrictions
</td> <td> Optional
</td> <td>
218 Reject MAIL FROM information
</td> </tr>
220 <tr> <td> smtpd_recipient_restrictions
</td> <td> Required
</td>
221 <td> Reject RCPT TO information
</td> </tr>
223 <tr> <td> smtpd_data_restrictions
</td> <td> Optional
</td> <td>
224 Reject DATA command
</td> </tr>
226 <tr> <td> smtpd_end_of_data_restrictions
</td> <td> Optional
</td> <td>
227 Reject END-OF-DATA command
</td> </tr>
229 <tr> <td> smtpd_etrn_restrictions
</td> <td> Optional
</td> <td>
230 Reject ETRN command
</td> </tr>
236 <h2> <a name=
"timing"> Delayed evaluation of SMTP access restriction lists
239 <p> Early Postfix versions evaluated SMTP access restrictions lists
240 as early as possible. The client restriction list was evaluated
241 before Postfix sent the
"220 $myhostname..." greeting banner to
242 the SMTP client, the helo restriction list was evaluated before
243 Postfix replied to the HELO (EHLO) command, the sender restriction
244 list was evaluated before Postfix replied to the MAIL FROM command,
245 and so on. This approach turned out to be difficult to use.
</p>
247 <p> Current Postfix versions postpone the evaluation of client,
248 helo and sender restriction lists until the RCPT TO or ETRN command.
249 This behavior is controlled by the smtpd_delay_reject parameter.
250 Restriction lists are still evaluated in the proper order of (client,
251 helo, etrn) or (client, helo, sender, recipient, data, or end-of-data)
253 When a restriction list (example: client) evaluates to REJECT or
254 DEFER the other restriction lists (example: helo, sender, etc.)
257 <p> Around the time that smtpd_delay_reject was introduced, Postfix
258 was also changed to support mixed restriction lists that combine
259 information about the client, helo, sender and recipient or etrn
262 <p> Benefits of delayed restriction evaluation, and of restriction
267 <li> <p> Some SMTP clients do not expect a negative reply early in
268 the SMTP session. When the bad news is postponed until the RCPT TO
269 reply, the client goes away as it is supposed to, instead of hanging
270 around until a timeout happens, or worse, going into an endless
271 connect-reject-connect loop.
</p>
273 <li> <p> Postfix can log more useful information. For example, when
274 Postfix rejects a client name or address and delays the action
275 until the RCPT TO command, it can log the sender and the recipient
276 address. This is more useful than logging only the client hostname
277 and IP address and not knowing whose mail was being blocked.
</p>
279 <li> <p> Mixing is needed for complex whitelisting policies. For
280 example, in order to reject local sender addresses in mail from
281 non-local clients, you need to be able to mix restrictions on client
282 information with restrictions on sender information in the same
283 restriction list. Without this ability, many per-user access
284 restrictions would be impossible to express.
</p>
288 <h2> <a name=
"danger"> Dangerous use of smtpd_recipient_restrictions
</a> </h2>
290 <p> By now the reader may wonder why we need smtpd client, helo
291 or sender restrictions, when their evaluation is postponed until
292 the RCPT TO or ETRN command. Some people recommend placing ALL the
293 access restrictions in the smtpd_recipient_restrictions list.
294 Unfortunately, this can result in too permissive access. How is
297 <p> The purpose of the smtpd_recipient_restrictions feature is to
298 control how Postfix replies to the RCPT TO command. If the restriction
299 list evaluates to REJECT or DEFER, the recipient address is rejected;
300 no surprises here. If the result is PERMIT, then the recipient
301 address is accepted. And this is where surprises can happen.
</p>
303 <p> Here is an example that shows when a PERMIT result can result
304 in too much access permission:
</p>
307 1 /etc/postfix/main.cf:
308 2 smtpd_recipient_restrictions =
310 4 check_helo_access hash:/etc/postfix/helo_access
311 5 reject_unknown_helo_hostname
312 6 reject_unauth_destination
314 8 /etc/postfix/helo_access:
315 9 localhost.localdomain PERMIT
318 <p> Line
5 rejects mail from hosts that don't specify a proper
319 hostname in the HELO command (with Postfix
< 2.3, specify
320 reject_unknown_hostname). Lines
4 and
9 make an exception to
321 allow mail from some machine that announces itself with
"HELO
322 localhost.localdomain".
</p>
324 <p> The problem with this configuration is that
325 smtpd_recipient_restrictions evaluates to PERMIT for EVERY host
326 that announces itself as
"localhost.localdomain", making Postfix
327 an open relay for all such hosts.
</p>
329 <p> In order to avoid surprises like these with
330 smtpd_recipient_restrictions, you should place non-recipient
331 restrictions AFTER the reject_unauth_destination restriction, not
332 before. In the above example, the HELO based restrictions should
333 be placed AFTER reject_unauth_destination, or better, the HELO
334 based restrictions should be placed under smtpd_helo_restrictions
335 where they can do no harm.
</p>
337 <h2> <a name=
"testing"> SMTP access rule testing
</a> </h2>
339 <p> Postfix has several features that aid in SMTP access rule
344 <dt> soft_bounce
</dt> <dd> <p> This is a safety net that changes
345 SMTP server REJECT actions into DEFER (try again later) actions.
346 This keeps mail queued that would otherwise be returned to the
347 sender. Specify
"soft_bounce = yes" in the main.cf file to prevent
348 the Postfix SMTP server from rejecting mail permanently, by changing
349 all
5xx SMTP reply codes into
4xx.
</p> </dd>
351 <dt> warn_if_reject
</dt> <dd> <p> This is a different safety net
352 that changes SMTP server REJECT actions into warnings. Instead of
353 rejecting a command, Postfix logs what it would reject. Specify
354 "warn_if_reject" in an SMTP access restriction list, before the
355 restriction that you want to test without actually rejecting mail.
358 <dt> XCLIENT
</dt> <dd> <p> With this Postfix
2.1 feature, authorized
359 SMTP clients can impersonate other systems, so that you can do
360 realistic SMTP access rule tests. Examples of how to impersonate
361 other systems for access rule testing are given at the end of the
362 XCLIENT_README document.
</p> </dd>