Hi, >>> This is normal operation for a general-purpose mail server. Mail to >>> local users can be received from anywhere (subject to spam >>> controls). Only authorized users can relay to a third-party >>> destinations. >>> >>> This is a typical setup for an internet-facing mail server. >> >> It's somewhat of an internal server, despite being connected to the >> Internet. No one was ever supposed to connect to it directly, and >> trying to convert everyone to SMTP Auth is going to be a challenge. > > The config for an internal server is pretty simple, something like > > smtpd_recipient_restrictions = > check_client_access hash:/etc/postfix/allowed_clients > check_client_access hash:/etc/postfix/pop-b-smtp > # next line optional > permit_mynetworks > # finally, reject anything not explicitly allowed > reject
Got it. I will just move the check_client/sender access lists above permit_mynetworks. If I have a complete map of check_recipient_access users, it's generally a good idea to use reject at the end, or it otherwise permits, correct? Not just in terms of an internal server, but also for our relay. >>>> I'm working on >>>> upgrading the server to use SMTP Auth, and only allowing port 25 from >>>> trusted relays, but it's a long process. > > Don't bother until you've upgraded postfix. Getting AUTH (and TLS, > which you'll need with AUTH) to work on ancient postfix isn't always > easy, and you won't get much help here. And AUTH with dovecot wasn't > supported until postfix 2.something. Yes, I should have made that more clear. This is a brand new system with fc18. Thanks, Alex
