> -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Alberto Lepe > Sent: Monday, 16 March 2009 4:18 PM > To: postfix-users@postfix.org > Subject: Too strict? > > Hello, and thank you in advance for your time! > > I have been setting up a mail server since more than a week > and after reading several posts/articles and some pages of > the Postfix manual, I'm a little confused about how to setup > the security. > The mail server is outside my LAN and it will be used to > serve some domains, with maybe 10 users per domain. > > This is my main.cf (restrictions): > > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_recipient_restrictions = > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > permit_mynetworks, > permit_sasl_authenticated, > # reject_unknown_sender_domain, > # reject_unknown_recipient_domain, > reject_unauth_destination, > reject_invalid_helo_hostname, > reject_unlisted_recipient, > reject_unlisted_sender, > reject_invalid_hostname, > # reject_non_fqdn_hostname, > # reject_unknown_client_hostname, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.spamcop.net, > permit >
Leaving aside the other comments people have made, I have reject_unknown_sender_domain (AFTER reject_unauth_destination) and reject_non_fqdn_hostname configured. The latter check in particular rejects thousands of connections a day so I don't have to keep hitting the Zen lookups. No FPs that I've ever been made aware of. reject_unlisted_recipient is redundant, since it's "yes" by default (but no harm leaving it in).
