[pfx] Re: Adjusting smtpd_recipient_restrictions

Mon, 05 Feb 2024 04:15:37 -0800 

On 04.02.24 22:06, Mark via Postfix-users wrote:

->"Best practice is to require submission users sending outbound mail do so
via ports 465 and/or 587."

Indeed here, I'm able to connect my smtp service *only* through;
port 465 - SSL only
port 587 - TLS only

Authentication/login is not enabled on port 25,
however port 25 is still open for worldwide communication, as usual.

I have:

smtp      inet  n       -       y       -       -       smtpd
submission inet n       -       y       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_auth_only=yes
 -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

smtps     inet  n       -       y       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

I don't really *deeply* know how safe I go with my master settings above..
Anything absurd?



I use these two for submission/submissions in master.cf

  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

where main.cf contains:

mua_client_restrictions = permit_sasl_authenticated, check_client_access 
static:{530 5.7.0 Authentication Required.}
mua_helo_restrictions =

which means:
- unauthenticatec clients get error "530 5.7.0 Authentication Required."
- completely no HELO restrictions
- senders and recipients are handled the same way for internal and external clients, we have some banned domains who stopped providing mail service 



But I guess most of my rules are happening in main.cf, which is listed here;

https://pastebin.mozilla.org/i5tMtPAk



looking at yout smtpd_recipient_restrictions and using reject_rbl_client,
you need to override them too.
I have moved those to postscreen and only use like nonexistent domains, users, banned domains described above 

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to