  Spam Control Configurations
  Cristiano Otto Von Trompczynski


  11..  AAddddrreessss eexxtteennssiioonnss


     RReecciippiieenntt ddeelliimmiitteerr
        The "Recipient delimiter" option specifies the separator between
        user names and address extensions (user+foo). See canonical(5),
        local(8), relocated(5) and virtual(5) for the effects this has
        on aliases, canonical, virtual, relocated and .forward file
        lookups.  Basically, the software tries user+foo and
        .forward+foo before trying user and .forward. This option sets
        the "recipient_delimiter" postfix variable.


  22..  JJuunnkk mmaaiill ccoonnttrroollss


     HHeeaaddeerr cchheecckkss
        The "Header checks" option restricts what may appear in message
        headers. This requires that POSIX or PCRE regular expression
        support is built-in. Specify "/^header-name: stuff you do not
        want/ REJECT" in the pattern file. Patterns are case-insensitive
        by default. Note: specify only patterns ending in REJECT.
        Patterns ending in OK are mostly a waste of cycles. This option
        sets the "header_checks" postfix variable.


     BBooddyy cchheecckkss
        The "Body checks" option specifies an optional table with
        patterns that each physical non-header line is matched against
        (including MIME headers inside the message body).  Lines are
        matched one at a time.  Long lines are matched in chunks of at
        most $line_length_limit characters. Patterns are matched in the
        specified order, and the search stops upon the first match.
        When a pattern matches, and the associated action is REJECT, the
        entire message is rejected.  This option sets the "body_checks"
        postfix variable.


     NNeettwwoorrkkss
        The "Networks" option specifies the list of networks that are
        local to this machine.  The list is used by the anti-UCE
        software to distinguish local clients from strangers. See
        permit_mynetworks and smtpd_recipient_restrictions in the file
        sample-smtpd.cf file.

        The default is a list of all networks attached to the machine:
        a complete class A network (X.0.0.0/8), a complete class B
        network (X.X.0.0/16), and so on. If you want stricter control,
        specify a list of network/mask patterns, where the mask
        specifies the number of bits in the network part of a host
        address. You can also specify the absolute pathname of a pattern
        file instead of listing the patterns here. This option sets the
        "mynetworks" postfix variable.


  33..  AAddddiittiioonnaall UUCCEE ccoonnttrroollss


     AAllllooww uunnttrruusstteedd rroouuttiinngg
        The "Allow untrusted routing" option controls if Postfix will
        forward mail with sender-specified routing
        (user[@%!]remote[@%!]site) from untrusted clients to
        destinations that are blessed by the relay_domains parameter.

        By default, untrusted clients are not allowed to specify
        routing.  This closes a nasty open relay loophole where a backup
        MX host can be tricked into forwarding junk mail to a primary MX
        host which then spams it out to the world.  This option sets the
        "allow_untrusted_routing" postfix variable.


     MMaappss rrbbllss ddoommaaiinnss
        The "Maps rbls domains" option specifies an optional list of DNS
        domains that publish the network addresses of blacklisted hosts.

        By default, RBL blacklist lookups are disabled. See the
        smtpd_client_restrictions parameter.

        The real-time blackhole list works as follows: reverse the
        client network address, and reject service if it is listed below
        any of the following domains.  This option sets the
        "maps_rbl_domains" postfix variable.


     RReellaayy ddoommaaiinnss
        The "Relay domains" option restricts what client hostname
        domains (and subdomains thereof) this mail system will relay
        mail from, and restricts what destination domains (and
        subdomains thereof) this system will relay mail to.

        By default, Postfix relays mail - from trusted clients whose IP
        address matches "Networks", - from trusted clients matching
        $relay_domains or subdomains thereof, - from untrusted clients
        to destinations that match "Relay domains" or subdomains
        thereof, except addresses with sender-specified routing.  The
        default "Relay domains" value is $mydestination.

        In addition to the above, the Postfix SMTP server by default
        accepts mail that Postfix is final destination for: -
        destinations that match "Network Interface", - destinations that
        match "Destination" - destinations that match "Virtual maps".
        These destinations do not need to be listed in "Relay domains
        option.

        Specify a list of hosts or domains, /file/name patterns or
        type:name lookup tables, separated by commas and/or whitespace.
        A file name is replaced by its contents; a type:name table is
        matched when a (parent) domain appears as lookup key.  This
        option sets the "relay_domains" postfix variable.

        NOTE: Postfix will not automatically forward mail for domains
        that list this system as their primary or backup MX host. See
        the "permit mx backup" restriction, in the description of the
        "Smtpd recipient restrictions" option.


     RReellaayy hhoosstt
        The "Relay host" option specifies the default host to send mail
        to when no entry is matched in the optional transport(5) table.
        When no relayhost is given, mail is routed directly to the
        destination.

        On an intranet, specify the organizational domain name. If your
        internal DNS uses no MX records, specify the name of the
        intranet gateway host instead.

        Specify a domain, host, host:port, [address] or [address:port].
        Use the form [destination] to turn off MX lookups. See also the
        default_transport parameter if you're connected via UUCP.  This
        option sets the "relayhost" postfix variable.


  44..  SSmmttppdd rreessttrriiccttiioonn


     SSmmttppdd eettrrnn rreessttrriiccttiioonn
        The "Smtpd etrn restriction" option restricts what clients are
        allowed to issue the ETRN command. The present Postfix ETRN
        differs from other ETRN implementations in that it flushes mail
        for all destinations. This will change in the future.

        The default is to allow ETRN from any host.  The following
        restrictions are available:

        -reject the request if the client hostname is unknown.  -permit
        if the client address matches "Networks".  -check_client_access
        maptype:mapname -maptype:mapname: look up client name, parent
        domains, client address, or networks obtained by stripping
        octets.  Reject if result is REJECT or "[45]xx text" Permit
        otherwise.  -reject if the client is listed under Maps rbl
        domains".  -reject the request. Place this at the end of a
        restriction.  -permit the request. Place this at the end of a
        restriction.

        This option sets the "smtpd_etrn_restriction" postfix variable.


     SSmmttppdd sseennddeerr rreessttrriiccttiioonn
        The "Smtpd sender restriction" option specifies optional
        restrictions on sender addresses that SMTP clients can send in
        MAIL FROM commands.

        The default is to permit any sender address.  The following
        restrictions are available:

        -permit if the client address matches "Networks".  -reject the
        request if the client hostname is unknown.  -reject if the
        client is listed under $maps_rbl_domains.  -reject HELO hostname
        with bad syntax.  -reject HELO hostname without DNS A or MX
        record.  -reject sender domain without A or MX record.
        -check_sender_access maptype:mapname -maptype:mapname: look up
        sender address, parent domain, or localpart@.  Reject if result
        is REJECT or "[45]xx text" Permit otherwise.
        -check_client_access maptype:mapname: see
        smtpd_client_restrictions.  -check_helo_access maptype:mapname:
        see smtpd_helo_restrictions.  -reject HELO hostname that is not
        in FQDN form -reject sender address that is not in FQDN form
        -reject the request. Place this at the end of a restriction.
        -permit the request. Place this at the end of a restriction.

        Restrictions are applied in the order as specified; the first
        restriction that matches wins.  This option sets the
        "smtpd_sender_restriction" postfix variable.


     SSmmttppdd cclliieenntt rreessttrriiccttiioonn
        The "Smtpd client restriction" option specifies optional
        restrictions on SMTP client host names and addresses.

        The default is to allow connections from any host.  The
        following restrictions are available:

        -reject the request if the client hostname is unknown.  -permit
        if the client address matches "Networks".  -check_client_access
        maptype:mapname -maptype:mapname: look up client name, parent
        domains, client address, or networks obtained by stripping
        octets.  Reject if result is REJECT or "[45]xx text" Permit
        otherwise.  -reject if the client is listed under
        $maps_rbl_domains.  -reject the request. Place this at the end
        of a restriction.  -permit the request. Place this at the end of
        a restriction.

        Restrictions are applied in the order as specified; the first
        restriction that matches wins.  This option sets the
        "smtpd_client_restriction" postfix variable.


     SSmmttppdd hheelloo rreessttrriiccttiioonn
        The smtpd_helo_restrictions parameter specifies optional
        restrictions on what SMTP clients can send in SMTP HELO and EHLO
        commands.

        The default is to permit everything.  The following restrictions
        are available:

        -permit if the client address matches $mynetworks.  -reject the
        request if the client hostname is unknown.  -reject if the
        client is listed under "Maps rbl domains".  -reject HELO
        hostname with bad syntax.  -reject HELO hostname without DNS A
        or MX record.  -reject HELO hostname that is not in FQDN form
        -check_helo_access maptype:mapname -look up HELO hostname or
        parent domains.  Reject if result is REJECT or "[45]xx text"
        Permit otherwise.  -check_client_access maptype:mapname: see
        "Smtpd client restrictions".  -reject the request. Place this at
        the end of a restriction.  -permit the request. Place this at
        the end of a restriction.

        Restrictions are applied in the order as specified; the first
        restriction that matches wins.  This option sets the
        "smtpd_helo_restrictions" postfix variable.


     SSmmttppdd rreecciippiieenntt rreessttrriiccttiioonn
        The "Smtpd recipient restriction" option specifies restrictions
        on recipient addresses that SMTP clients can send in RCPT TO
        commands.

        By default, Postfix relays mail - from trusted clients whose IP
        address matches "Networks", - from trusted clients matching
        "Relay domains" or subdomains thereof, - from untrusted clients
        to destinations that match "Relay domains" or subdomains
        thereof, except addresses with sender-specified routing.  The
        default relay_domains value is "Destination".

        In addition to the above, the Postfix SMTP server by default
        accepts mail that Postfix is final destination for: -
        destinations that match "Network Interface", - destinations that
        match "Destination" - destinations that match "Virtual maps".
        These destinations do not need to be listed in "Relay domains".

        The following restrictions are available (* is part of default
        setting):

        -*permit if the client address matches $mynetworks.  -reject the
        request if the client hostname is unknown.  -reject if the
        client is listed under $maps_rbl_domains.  -reject HELO hostname
        with bad syntax.  -reject HELO hostname without DNS A or MX
        record.  -reject sender domain without A or MX record.
        -*check_relay_domains: permit only mail - to destinations
        matching "Network Interface", "Destination", or "Virtual maps",
        - from trusted clients matching "Relay domains" or subdomain
        thereof, - from untrusted clients to destinations matching
        "Relay domains" or subdomain thereof (except addresses with
        sender-specified routing), Reject anything else.  -permit auth
        destination: permit mail - to destinations matching "Network
        Interface", "Destination" or "Virtual Maps.  - to destinations
        matching "Relay Domains" or subdomain thereof, except for
        addresses with sender-specified routing.  -reject mail unless it
        is sent - to destinations matching "Network Interface",
        "Destination" or $virtual_maps.  - to destinations matching
        $relay_domains or subdomain thereof, except for addresses with
        sender-specified routing.  -reject mail from improperly
        pipelining spamware -accept mail for sites that list me as MX
        host.  -reject domains without A or MX record.
        -check_recipient_access maptype:mapname -maptype:mapname: look
        up recipient address, parent domain, or localpart@.  Reject if
        result is REJECT or "[45]xx text" Permit otherwise.
        -check_client_access maptype:mapname: see "Smtpd client
        restrictions".  -check_helo_access maptype:mapname: see "Smtpd
        helo restrictions".  -check_sender_access maptype:mapname: see
        "Smtpd sender restrictions" -reject HELO hostname that is not in
        FQDN form.  -reject sender address that is not in FQDN form.
        -reject recipient address that is not in FQDN form.  -reject the
        request. Place this at the end of a restriction.  -permit the
        request. Place this at the end of a restriction.

        Restrictions are applied in the order as specified; the first
        restriction that matches wins.  This option sets the
        "smtpd_recipient_restrictions" postfix variable.

        NOTE: YOU MUST SPECIFY AT LEAST ONE OF THE FOLLOWING
        RESTRICTIONS OTHERWISE POSTFIX REFUSES TO RECEIVE MAIL: