From f005ee55f88738a08088c9a11bf523f9886e8c37 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Sun, 25 Nov 2018 13:49:24 +0100
Subject: [PATCH] install_postfix_advanced.sh: chenge settings for smtpd
 Restrictions.

---
 install_postfix_advanced.sh | 112 ++++++++++++++++++------------------
 1 file changed, 57 insertions(+), 55 deletions(-)

diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh
index b92e18c..6c4154d 100755
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@@ -1024,10 +1024,10 @@ virtual_alias_maps =
 virtual_alias_domains =
 
 
-#======= Restrictions  ============
+#======= smtpd Restrictions  ============
 
 ## ---
-## - Define restrictions
+## - Define smtpd Restrictions
 ## ---
 
 smtpd_restriction_classes = check_greylist
@@ -1035,7 +1035,7 @@ check_greylist = check_policy_service inet:127.0.0.1:10023
 
 
 ## ---
-## - Recipient restrictions
+## - smtpd Recipient Restrictions
 ## ---
 
 smtpd_recipient_restrictions =
@@ -1052,19 +1052,60 @@ smtpd_recipient_restrictions =
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
-   reject_unknown_recipient_domain,
-   reject_unlisted_recipient,
 # don't accept misconfigured recipients
+   reject_unknown_recipient_domain,
+# Reject the request when the RCPT TO address is not listed in the list of valid 
+# recipients for its domain class. See the smtpd_reject_unlisted_recipient 
+# parameter description for details. 
+#
+# smtpd_reject_unlisted_recipient (default: yes)
+#
+#   Request that the Postfix SMTP server rejects mail for unknown recipient addresses, 
+#   even when no explicit reject_unlisted_recipient access restriction is specified. 
+#   This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages. 
+#
+#   An address is always considered "known" when it matches a virtual(5) alias or 
+#   a canonical(5) mapping. 
+#      - The recipient domain matches \$mydestination, \$inet_interfaces or \$proxy_interfaces, 
+#        but the recipient is not listed in \$local_recipient_maps, and \$local_recipient_maps 
+#        is not null.
+#      - The recipient domain matches \$virtual_alias_domains but the recipient is not listed 
+#        in \$virtual_alias_maps.
+#      - The recipient domain matches \$virtual_mailbox_domains but the recipient is not 
+#        listed in \$virtual_mailbox_maps, and \$virtual_mailbox_maps is not null. 
+#      - The recipient domain matches \$relay_domains but the recipient is not listed in 
+#        \$relay_recipient_maps, and \$relay_recipient_maps is not null.
+#
+   reject_unlisted_recipient,
+# reject_unauth_destination
+#
+# Reject the request unless one of the following is true:
+#
+#  - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains 
+#    or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
+#
+#
+#  - Postfix is the final destination: the resolved RCPT TO domain matches 
+#    \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, 
+#    or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
+#
+# Note:
+#    reject_unauth_destination is not needed here if the mail
+#    relay policy is specified under smtpd_relay_restrictions
+#    (available with Postfix 2.10 and later).
+   #reject_unauth_destination,
+# Reject the request when mail to the RCPT TO address is known to bounce, or when the 
+# recipient address destination is not reachable. Address verification information is 
+# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
+# for more details
+   reject_unverified_recipient,
 # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
-   # Whitelist (configured on a.ns.oopen.de
-   # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
+   # Whitelist (configured at a.ns.oopen.de)
    permit_dnswl_client dnswl.oopen.de,
    # Blacklists
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client ix.dnsbl.manitu.net,
    #reject_rbl_client bl.spamcop.net,
-   # March 1, 2013: NJABL is in the process of being shut down
-   #reject_rbl_client dnsbl.njabl.org,
 # Policyd-Weight
    #check_policy_service inet:127.0.0.1:12525,
 # Greylisting check
@@ -1079,29 +1120,16 @@ smtpd_recipient_restrictions =
 #
 #  selctive greylisting:
 #     check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
-#
    #warn_if_reject,
    check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
-# Reject the request unless one of the following is true:
-#
-#  - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains 
-#    or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
-#
-#
-#  - Postfix is the final destination: the resolved RCPT TO domain matches 
-#    \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, 
-#    or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
-   reject_unverified_recipient,
 # permit Backup MX
    permit_mx_backup,
-# forbid all other relaying
-   reject_unauth_destination,
 # permit, if all restrictions so far passed
    permit
 
 
 ## ---
-## - Relay Restrictions (since version 2.11)
+## - smtpd Relay Restrictions (since version 2.11)
 ## ---
 
 smtpd_relay_restrictions =
@@ -1118,50 +1146,24 @@ smtpd_relay_restrictions =
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
-   reject_unknown_recipient_domain,
-   reject_unlisted_recipient,
 # don't accept misconfigured recipients
-# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
-   # Whitelist (configured on a.ns.oopen.de
-   # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
-   permit_dnswl_client dnswl.oopen.de,
-   # Blacklists
-   reject_rbl_client zen.spamhaus.org,
-   reject_rbl_client ix.dnsbl.manitu.net,
-   #reject_rbl_client bl.spamcop.net,
-   # March 1, 2013: NJABL is in the process of being shut down
-   #reject_rbl_client dnsbl.njabl.org,
-# Policyd-Weight
-   #check_policy_service inet:127.0.0.1:12525,
-# Greylisting with postgrey
-#
-#     check_policy_service inet:127.0.0.1:10023, 
-#
-#
-# Using defined restriction class (see 'smtpd_restriction_classes'):
-#
-#  greylist all connections:
-#     check_greylist,
-#
-#  selctive greylisting:
-#     check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
-#
-   #warn_if_reject,
-   check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
+   reject_unknown_recipient_domain,
 # Reject the request unless one of the following is true:
 #
 #  - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains 
 #    or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
 #
-#
 #  - Postfix is the final destination: the resolved RCPT TO domain matches 
 #    \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, 
 #    or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
+   reject_unauth_destination,
+# Reject the request when mail to the RCPT TO address is known to bounce, or when the 
+# recipient address destination is not reachable. Address verification information is 
+# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
+# for more details
    reject_unverified_recipient,
 # permit Backup MX
    permit_mx_backup,
-# forbid all other relaying
-   reject_unauth_destination,
 # permit, if all restrictions so far passed
    permit