I'm looking to deploy a Postfix server in place of a sendmail server after reading up on how Postfix works. I've got the system so it can deliver mail locally, but now I'm looking to add security (gradually) to the Postfix install. I'm trying to test out the server accepting FQDNs only. I telnet to the system & issue a: HELO sparky . If I continue composing the email in telnet, it happily accepts everything. What am I doing wrong? This is my Postfix configuration to date:
================================================== ======
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
default_privs = nobody

myhostname = postfix.quirkygames.com
mydomain = quirkygames.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks_style = class
inet_interfaces = all

relay_domains = $mydestination

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

unknown_local_recipient_reject_code = 550

debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
#=========================================================
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
permit

smtpd_recipient_restrictions =
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
permit

==================================================
If I activate just the helo restrictions, it lets the email complete. If I enable the recipient restrictions, the moment I telnet to port 25, the cursor just hangs.

Any help would be appreciated.

Nothing. You have permit_mynetworks first in your helo_restrictions, so anyone
telnetting from the LAN would pass the helo tests without question.

D'oh!! Makes sense. I guess it's like the book says: position. position. position. So you have to be certain that you order the restrictions the way you want them applied.

Though, why is it if I include the smptd_recipient_restrictions area, the telnet session sits frozen? I don't even get the greeting from the mail server.

Also, the book I'm reading on postfix says that to do the FQDN protection it goes in the recipient restrictions. Why would that be? Their restrictions are printed:
smtp_recipient_restrictions = permit_mynetworks,reject_unauth_destination,reject_non_fqdn_hostname, permit

Check your mail logs. But the reason is probably that your recipient_restrictions are too permissive. See the postconf(5) man page for rules that are mandatory for smtpd_recipient_restrictions.

Also. with smtpd_delay_reject = yes, as you have it, the client would not be rejected until the RCPT TO phase, even if the client violated one of the helo_restrictions. In this case, you can list your access rules under a single recipient_restrictions stanza (instead of having separate client_restrictions, helo_restrictions, etc.)