On Sun, Feb 04, 2024 at 01:22:45PM +0200, Mark via Postfix-users wrote:
> Is it better to list reject_unauth_destination after;
>
> permit_mynetworks,
> permit_sasl_authenticated,
>
> Or before these? And why?
Best practice is to require submission users sending outbound mail do so
via ports 465 and/or 587. If also the MTA instance in question is *not*
a "smarthost" outbound relay for some set of "internal" machines
authorised by IP address, then you simply don't need either of:
permit_mynetworks,
permit_sasl_authenticated
instead, the simplest setting of "smtpd_relay_restrictions" can be
smtpd_relay_restrictions = reject_unauth_destination
If however some "trusted IP" clients or some "authenticated" users are
using port 25 to send outbound mail, then you need to add either or both
of:
permit_mynetworks,
permit_sasl_authenticated
*before* rejecting mail for external domains.
> And finally, here are my helo and sender restrictions;
>
> smtpd_helo_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> permit
>
> smtpd_sender_restrictions =
> reject_non_fqdn_sender,
> reject_unlisted_sender,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unknown_sender_domain,
> permit
>
> You might wish to give your opinions on these above as well?
Whatever works for you, so long as you understand what these do,
and these meet your goals. The main thing is to configure
separate rules for port 25 and (via master.cf overrides) for
submission on port 465 and 587. I have:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=$mua_milters
-o always_add_missing_headers=yes
-o header_checks=$submit_header_checks
-o body_checks=
> I'm trying to be as restrictive as possible, against haux&pseudo
> hostnames/helo attempts, spammers and attackers.
Best to go with: as restrictive as reasonably practical. Some junk will
get through, that's OK, provided it does not drown users in in a torrent
of spam, dominating legitimate mail.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
