On 2012-01-20 3:31 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
Am 20.01.2012 09:18, schrieb Nikolaos Milas:
As our internal (main) mail server only accepts mail from two mail
gateways and users submit their mail through submission port (587),
I am planning to explicitly allow accepting mail on port 25 ONLY by
our mail gateway servers (and the mail server itself). So, in
main.cf:
where /etc/postfix/gwservers.cidr:
(True IPs have been masked with 'x's since they are public.)
2001:648:2011:xxxx::xxx OK
195.251.xxx.xxx OK
195.251.xxx.xx OK
127.0.0.1 OK
Don't forget the last line should be something like:
# reject all clients not matching anything above, and be damn sure
# to comment out the last reject under recipient_restrictions
#
0.0.0.0/0 reject unauthorized client, please use our MX
why are you not only opening from the allowed addresses in
the packet-filter (iptables)? so you have no log-entries
from spammers all over the world and any protection should
generally happen as wide as possible before the service
I agree wholeheartedly and I do this as well, but I also believe in
multi-layered security, so I would *definitely* also lock it down in
postfix as above as well...
--
Best regards,
Charles
