smtpd_recipient_restrictions =
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        reject_unlisted_sender
        permit_mynetworks
        permit_sasl_authenticated
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client bl.spamcop.net
        reject_rbl_client relays.ordb.org
        reject_rbl_client xbl.spamhaus.org
        check_recipient_access regexp:/etc/postfix/rcpt_checks
        check_client_access regexp:/etc/postfix/client_checks
        check_helo_access regexp:/etc/postfix/helo_checks
        check_sender_access regexp:/etc/postfix/sender_checks
        reject_unauth_destination

/192\.168\.2\.1/             REJECT

        check_recipient_access regexp:/etc/postfix/rcpt_checks
        check_client_access regexp:/etc/postfix/client_checks
        check_helo_access regexp:/etc/postfix/helo_checks
        check_sender_access regexp:/etc/postfix/sender_checks

/^localhost$/ 550 Don't use my own domain (localhost)
/^charite\.de$/ 550 Don't use my own domain
/^160\.45\.207\.131$/ 550 Don't use my own IP address
/^mail\.charite\.de$/ 550 Don't use my own hostname
/^141\.42\./ 550 Don't use an IP address from my network
/^\[160\.45\.207\.131\]$/ 550 Don't use my own IP address in brackets
/^\[141\.42\./ 550 Don't use an IP address from my network
/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in []) - not a naked IP.

1 → smtpd_client_restrictions
2 → smtpd_helo_restrictions
3 → smtpd_sender_restrictions
4 → smtpd_recipient_restrictions
5 → smtpd_data_restrictions
6 → header_checks
7 → body_checks

# -=------------------------------------------------------=-
# _1_Server: 220 smtp.example.com ESMTO Postfix
# check client use ip/domain
#
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client relays.ordb.org,
reject_rbl_client dsn.rfs-ignorant.org,
reject_rbl_client spam.ecenter.idv.tw,
check_client_access regexp:/etc/postfix/client_checks

# _2_Client: MAIL FROM:<info@ora.com>
# check Mail From
#
smtpd_sender_restrictions = permit_mynetworks,
check_sender_access regexp:/etc/postfix/sender_access,
reject_unknown_client,
reject_non_fqdn_sender,
reject_unknown_sender_domain

# _3_Clinet: RCPT TO:<kdent@example.com>
# check local network Relay
#
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

# _4_Client: Data (這段定義是要配合 spamassassin 用,若無！可以省略)
#
smtpd_data_restrictions = check_client_access cidr:/etc/postfix/header-local,
permit_mynetworks,
check_client_access cidr:/etc/postfix/header-auth,
permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/header-remote
#
# -=------------------------------------------------------=-

permit_sasl_authenticated → 允許SASL寄送
permit_mynetworks → 允許本地網路寄送
reject_unauth_destination → 不允許非認證來來源寄送

reject_rbl_client relay.ordb.org → 不允許RBL資料庫中之用戶端寄送
reject_non_fqdn_sender → 用戶端的MAIL FROM命令若不是RFC要求的完整名稱則退信。
reject_unknown_client → 當SMTP Client連線時，postfix若無法查詢該用戶端之PTR紀錄，則拒絕連線。
reject_unknown_sender_domain → mail from 命令所提供的寄信人位置若查不到A 紀錄或MX紀錄則退信。

__check_client_access regexp:/etc/postfix/client_checks
...
/.*\.dynamic\..*\.tw/ 554 Service unavailable
/.*\.dynamic\.hinet\.net/ 554 Service unavailable

Oct 2 09:04:12 tej9806 postfix/smtpd[20256]: connect from 61-225-206-44.dynamic
.hinet.net[61.225.206.44]

Oct 2 09:04:12 tej9806 postfix/smtpd[20256]: NOQUEUE: reject: CONNECT from 61-2
25-206-44.dynamic.hinet.net[61.225.206.44]: 554 <61-225-206-44.dynamic.hinet.net
^^^^
[61.225.206.44]>: Client host rejected: Service unavailable; proto=SMTP
^^^^^^^^^^^^^^^^^^^^
Oct 2 09:04:12 tej9806 postfix/smtpd[20256]: disconnect from 61-225-206-44.dyna
mic.hinet.net[61.225.206.44]

__check_sender_access regexp:/etc/postfix/sender_access
...
/.*firstbank\.com\.tw/ OK
/61\.219\.52\.9/ OK

/ms[1-9]\.epaper\.com\.tw/ DISCARD
/ms[a-z]\.epaper\.com\.tw/ DISCARD

/ecfs[1-9]\.epaper\.com\.tw/ DISCARD
/ecfs10\.epaper\.com\.tw/ DISCARD
/ecfsrv\.epaper\.com\.tw/ DISCARD

Sep 27 14:24:57 tej9806 postfix/smtpd[20168]: connect from msr.epaper.com.tw[211
.20.188.103]

Sep 27 14:24:58 tej9806 postfix/smtpd[20168]: NOQUEUE: discard: MAIL from msr.epaper.com.tw
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[211.20.188.103]: <edm@msx.epaper.com.tw>: Sender address triggers DISCARD action
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
; from=<edm@msx.epaper.com.tw> proto=ESMTP helo=<msr.epaper.com.tw>
Sep 27 14:24:58 tej9806 postfix/smtpd[20168]: 52FFC14145: client=msr.epaper.com.
tw[211.20.188.103]
Sep 27 14:24:59 tej9806 postfix/smtpd[20168]: disconnect from msr.epaper.com.tw[
211.20.188.103]

[root@tej9806 postfix]# cat /var/log/maillog |grep '9E41D14148'
Sep 27 02:25:30 tej9806 postfix/smtpd[1958]: 9E41D14148: client=comserver.nnrha.
org[209.96.171.130]

Sep 27 02:25:31 tej9806 postfix/cleanup[2547]: 9E41D14148: hold: header Received
: from gabriel.INTERNAL.NNRHA.ORG (comserver.nnrha.org [209.96.171.130])??by tej
┌^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
├→ 發送者正確 IP 位址
9806.tej.com.tw (Postfix) with ESMTP id 9E41D14148??for <xfs@tej.com.tw>; Wed, 2
^^^^^^^^^^^^^^^^^^^→由 SMTP Client
以【RCPT TO︰】 命令所指定的【信封地址】(即收件者)，而該 User 有存在 aliases 檔內！
7 Sep 2006 02:25:30 +0800 (CST) from comserver.nnrha.org[209.96.171.130]; from=<
wkobcajod@bc1dftqw0iss.com> to=<xfs@tej.com.tw> proto=ESMTP helo=<gabriel.INTERNAL.NNRHA.ORG>
┌^^^^^^^^^^^^^^^^^^^^^^^^
├→ 來自於寄件者 【MAIL FROM︰】

From wkobcajod@bc1dftqw0iss.com Wed Sep 27 02:25:39 2006
┌^^^^^^^^^^^^^^^^^^^^^^^^
├→ 這裡沒有冒號！來自於寄件者 【MAIL FROM︰】也可以造假！
Return-Path: <wkobcajod@bc1dftqw0iss.com>
X-Original-To: xfs@tej.com.tw
Delivered-To: root@tej.com.tw
X-TejNet-Auth-LOCAL: LOCAL
X-TejNet-Auth-SASL: SASL
X-TejNet-Auth-NONE: NONE
Received: from gabriel.INTERNAL.NNRHA.ORG (comserver.nnrha.org [209.96.171.130])
┌^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
├→ 發送者正確 IP 位址
by tej9806.tej.com.tw (Postfix) with ESMTP id 9E41D14148
for <xfs@tej.com.tw>; Wed, 27 Sep 2006 02:25:30 +0800 (CST)
^^^^^^^^^^^^^^^^^^^→由 SMTP Client 以【RCPT TO︰】 命令所指定的
【信封地址】(即收件者)，而該 User 有存在 aliases 檔內！

Received: from bc1dftqw0iss.com ([218.35.90.113] RDNS failed) by gabriel.INTERNAL.NNRHA.ORG with Microsoft SMTPSVC(6.0.3790.1830);
Tue, 26 Sep 2006 14:25:13 -0400

～【DATA】～
From: MP4總站 <wkobcajod@bc1dftqw0iss.com> ←─ 寄件者可以造假！
Subject: 最新網友搶手貨--MP4經典果凍機下殺NT$2590
To: desert_lj@yahoo.com.tw ←─ 收件者可以造假！
Content-Type: text/html;
charset="big5";
charset="big5";
charset="big5";
charset="big5";
charset="big5"
Content-Transfer-Encoding: 8bit
Date: Wed, 27 Sep 2006 02:26:00 +0800
Message-ID: <GABRIELXsprw0m25q8a000091f2@gabriel.INTERNAL.NNRHA.ORG>
X-OriginalArrivalTime: 26 Sep 2006 18:25:15.0088 (UTC) FILETIME=[1C7DA500:01C6E199]
...

1 → smtpd_client_restrictions
2 → smtpd_helo_restrictions
3 → smtpd_sender_restrictions
4 → smtpd_recipient_restrictions
5 → smtpd_data_restrictions
6 → header_checks
7 → body_checks

# -=------------------------------------------------------=-
# _1_Server: 220 smtp.example.com ESMTO Postfix
# check client use ip/domain
#
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/client_checks, <-- 直接拒收不歡迎 smtp server,是用 554 方式拒收！,另誤判為 ODRB IP 直接以 OK 設此！
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net

---------------------------------------------
reject_rbl_client dul.dnsbl.sorbs.net <-- 加上這段可擋大部分 Dynamic IP
reject_rbl_client cbl.anti-spam.org.cn <-- 擋來自大陸的垃圾信
---------------------------------------------

# _2_Client: MAIL FROM:<info@ora.com>
# check Mail From
#
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, <-- 避免來自未設反解 IP 而拒決轉寄!
check_sender_access regexp:/etc/postfix/sender_access, <-- 開放未定義反解 smtp server 是用正規表示法設定,以 OK 放行接受來源端信件！
reject_unknown_client, ┐
reject_non_fqdn_sender, ┼─→ DNS 檢查段！規則符合就先放行，後面就不檢查！
reject_unknown_sender_domain ┘

# _3_Clinet: RCPT TO:<kdent@example.com>
# check local network Relay
#
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_recipient_access regexp:/etc/postfix/no_fqnlist, <-- 設定部份帳號具有多重網域身份，其餘拒絕！
check_client_access regexp:/etc/postfix/client_access, <-- 拒收所有 Dynamic dns name!
reject_unauth_destination

# _4_Client: Data (這段定義是要配合 spamassassin 用,若無！可以省略)
#
smtpd_data_restrictions = check_client_access cidr:/etc/postfix/header-local,
permit_mynetworks,
check_client_access cidr:/etc/postfix/header-auth,
permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/header-remote

#
# -=------------------------------------------------------=-

permit_sasl_authenticated → 允許SASL寄送
permit_mynetworks → 允許本地網路寄送
reject_unauth_destination → 不允許非認證來來源寄送

reject_rbl_client relay.ordb.org → 不允許RBL資料庫中之用戶端寄送
reject_non_fqdn_sender → 用戶端的MAIL FROM命令若不是RFC要求的完整名稱則退信。
reject_unknown_client → 當SMTP Client連線時，postfix若無法查詢該用戶端之PTR紀錄，則拒絕連線。
reject_unknown_sender_domain → mail from 命令所提供的寄信人位置若查不到A 紀錄或MX紀錄則退信。

# /etc/rc.d/init.d/MailScanner restart
# /etc/rc.d/init.d/postfix reload

__check_client_access regexp:/etc/postfix/client_checks
...
/ecfs[1-9]\.epaper\.com\.tw/ 554 Service unavailable
/ecfs1[0-9]\.epaper\.com\.tw/ 554 Service unavailable

# -=---------------------------------------------=-
# For Japen Mike_Huang
/125\.175\.32\.168/ OK ←─ 放行誤判為 ORDB IP！

Oct 2 09:04:12 tej9806 postfix/smtpd[20256]: connect from 61-225-206-44.dynamic
.hinet.net[61.225.206.44]

Oct 2 09:04:12 tej9806 postfix/smtpd[20256]: NOQUEUE: reject: CONNECT from 61-2
25-206-44.dynamic.hinet.net[61.225.206.44]: 554 <61-225-206-44.dynamic.hinet.net
^^^^
[61.225.206.44]>: Client host rejected: Service unavailable; proto=SMTP
^^^^^^^^^^^^^^^^^^^^
Oct 2 09:04:12 tej9806 postfix/smtpd[20256]: disconnect from 61-225-206-44.dyna
mic.hinet.net[61.225.206.44]

__check_sender_access regexp:/etc/postfix/sender_access
...
/.*firstbank\.com\.tw/ OK
/61\.219\.52\.9/ OK

/ms[1-9]\.epaper\.com\.tw/ DISCARD
/ms[a-z]\.epaper\.com\.tw/ DISCARD

/ecfs[1-9]\.epaper\.com\.tw/ DISCARD
/ecfs10\.epaper\.com\.tw/ DISCARD
/ecfsrv\.epaper\.com\.tw/ DISCARD

Sep 27 14:24:57 tej9806 postfix/smtpd[20168]: connect from msr.epaper.com.tw[211
.20.188.103]

Sep 27 14:24:58 tej9806 postfix/smtpd[20168]: NOQUEUE: discard: MAIL from msr.epaper.com.tw
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[211.20.188.103]: <edm@msx.epaper.com.tw>: Sender address triggers DISCARD action
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
; from=<edm@msx.epaper.com.tw> proto=ESMTP helo=<msr.epaper.com.tw>
Sep 27 14:24:58 tej9806 postfix/smtpd[20168]: 52FFC14145: client=msr.epaper.com.
tw[211.20.188.103]
Sep 27 14:24:59 tej9806 postfix/smtpd[20168]: disconnect from msr.epaper.com.tw[
211.20.188.103]

__check_client_access regexp:/etc/postfix/client_checks
...
# -=---------------------------------------------=-
/.*dynamic\..*/ DISCARD

Oct 14 13:40:45 tej9806 postfix/smtpd[21152]: connect from 141.168.179.60
.broad.nb.zj.dynamic.cndata.com[60.179.168.141]

Oct 14 13:40:55 tej9806 postfix/smtpd[21152]: NOQUEUE: discard: RCPT from
^^^^^^^^^
141.168.179.60.broad.nb.zj.dynamic.cndata.com[60.179.168.141]: <141.168.179.60.
broad.nb.zj.dynamic.cndata.com[60.179.168.141]>: Client host triggers DISCARD action;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
from=<zeMnt1o3g2qkygWW0AQOzkkIcIhR@ms53.hinet.net> to=<patty@tej.com.tw> p
roto=SMTP helo=<141.168.179.60.broad.nb.zj.dynamic.cndata.com>

Oct 14 13:40:55 tej9806 postfix/smtpd[21152]: DBB0D14149: client=141.168.
179.60.broad.nb.zj.dynamic.cndata.com[60.179.168.141]

Oct 14 13:41:00 tej9806 postfix/smtpd[21152]: disconnect from 141.168.179
.60.broad.nb.zj.dynamic.cndata.com[60.179.168.141]

__check_recipient_access regexp:/etc/postfix/no_fqnlist
# -=---------------------------------------------=-
/service@richmall\.com\.tw/ OK
/rise@richmall\.com\.tw/ OK
/.*richmall\.com\.tw/ DISCARD

Dec 21 15:22:07 tej9806 postfix/smtpd[29202]: NOQUEUE: discard: RCPT from
amos.component.com.tw[59.124.227.230]: <paul@richmall.com.tw>: Recipient
address triggers DISCARD action; from=<kuang@amos.component.com.tw>
to=<paul@richmall.com.tw> proto=ESMTP helo=<amos.component.com.tw>

smtpd_recipient_restrictions =
....
reject_rbl_client dul.dnsbl.sorbs.net <--加上這段可擋大部分 Dynamic IP
reject_rbl_client cbl.anti-spam.org.cn <----擋來自大陸的垃圾信

check_sender_access = hash:/etc/postfix/rhsbl_sender_exceptions

Nov 24 04:41:59 ns1 postfix/smtpd[1415]: NOQUEUE: reject: RCPT from unknown[201.66.41.181]:
554 Service unavailable; Client host [201.66.41.181] blocked using dul.dnsbl.sorbs.net;
Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?201.66.41.181; from=<alice@XXX.com.tw>
to=<alice@XXX.com.tw> proto=ESMTP helo=<201-66-41-181.ctame706.dsl.brasiltelecom.net.br>

Nov 24 03:57:32 ns1 postfix/smtpd[15441]: NOQUEUE: reject: RCPT from XX-XX-67-141.HINET-IP.hinet.net[XX.XX.67.141]:
451 Server configuration error; from=<spXXtw@gmail.com> to=<peter@XX.com.tw> proto=ESMTP helo=<googlemail.com>
Nov 24 03:57:32 ns1 postfix/smtpd[15441]: > XX-XX-67-141.HINET-IP.hinet.net[XX.XX.67.141]: 451 Server configuration error

$ORIGIN my.domain.com.
@ IN MX 10 a.my.domain.com.
@ IN MX 20 b.my.domain.com.
a IN A 1.2.3.4
b IN A 1.2.3.5

echo "my.domain.com" >> /etc/mail/local-host-names
echo "a.my.domain.com" >> /etc/mail/local-host-names
service sendmail restart

echo "b.my.domain.com" >> /etc/mail/local-host-names
echo "my.domain.com RELAY" >> /etc/mail/access
echo "a.my.domain.com RELAY" >> /etc/mail/access
makemap hash /etc/mail/access.db < /etc/mail/access
service sendmail restart

# vi /etc/ssh/sshd_config
PermitRootLogin no
...
PasswordAuthentication yes # 改成 no，這樣子沒有私鑰就會無法登入了
...
RSAAuthentication yes # 是否使用純的 RSA 認證！？僅針對 version 1 ！
PubkeyAuthentication yes # 是否允許 Public Key ？當然允許啦！僅針對 version 2
AuthorizedKeysFile .ssh/authorized_keys # 使用不需要密碼登入的帳號時，那麼那個帳號的存放檔案所在檔名！
...
#PermitEmptyPasswords no

# cd
# cd .ssh
# rm -f known_hosts
# cd ..
# ssh test@10.10.20.20 [該 ip 為 Mail (主要) 機器]
The authenticity of host '10.10.20.20 (10.10.20.20)' can't be established.
RSA key fingerprint is 07:d2:a4:93:b7:99:b2:39:2a:45:db:e1:6f:c7:d8:32.
Are you sure you want to continue connecting (yes/no)?yes

# vi /etc/rc.d/emaills

# >>>>>>>>>> The filename "naliases" must be
# >> NOTE >> manual add eMail User aliases
# >>>>>>>>>> please add root account
#
cd /etc/rc.d
echo -e "# $(date) " > rcptlist
cat /etc/passwd |awk -F":" '$3>=500 && $3 <=60000 {printf("%s@aaa.com.tw\n",$1);}' >> rcptlist
cat /etc/postfix/naliases >> rcptlist

# vi /etc/mail/up_account
cd /etc/mail
rm -f rcptlist

ssh test@10.10.20.20 /etc/rc.d/emaills
scp -p test@10.10.20.20:/etc/rc.d/rcptlist .

if [ -f /etc/mail/rcptlist ]; then
makemap hash -er /etc/mail/rcptlist < /etc/mail/rcptlist
fi

# chmod 755 up_account

# vi /etc/crontab
...
30 11 * * * root /etc/mail/up_account > /dev/null 2>&1
00 17 * * * root /etc/mail/up_account > /dev/null 2>&1

# /etc/rc.d/init.d/crond restart


# cat /etc/mail/rcptlist
james@abc.om
rock@abc.com

# vi /etc/mail/sendmail.cf

～例 1︰(reject)
Krcptlist hash -m -a% /etc/mail/rcptlist
SLocal_check_rcpt
R$*<$*>$*[tab]$: $2
R$*[tab]$: $(rcptlist $1 $:? $) $| $1
R?$|$*[tab]$#error $@ 5.7.1 $: "550 Relaying denied"
R$*[tab]$@ ok

～例 2︰(discard)
Krcptlist hash -m -a% /etc/mail/rcptlist
SLocal_check_rcpt
R$*<$*>$*[tab]$: $2
R$*[tab]$: $(rcptlist $1 $:? $) $| $1
R?$|$*[tab]$#discard $: discard
R$*[tab]$@ ok

# cat /etc/mail/killmail
su -l root -c '/etc/rc.d/init.d/MailScanner stop'
sleep 3
su -l root -c '/etc/rc.d/init.d/sendmail stop'
sleep 1
# fixed Argument list too long
cd /var/spool/mqueue
ls -C1 |xargs -i rm {}
su -l root -c '/etc/rc.d/init.d/MailScanner start'