Am 13.04.2013 21:42, schrieb b...@bitrate.net: > > On Apr 13, 2013, at 15.33, Russell Jones <russ...@jonesmail.me> wrote: > >> Hi all, >> >> Upgrading mail server from Postfix 2.9 to 2.10. Could I get a quick sanity >> check to ensure my (fairly simple) setup is sane with the new >> smtpd_relay_restrictions? Thanks :-) >> >> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination >> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated >> check_client_access hash:/etc/postfix/rbl_override reject_rbl_client >> zen.spamhaus.org > > really, neither of permit_mynetworks nor permit_sasl_authenticated belong in > any global restrictions. > smtp auth [e.g sasl] is for submission clients, which should be using > submission/587, and these days,
fine - in the real life you start not from scratch have fun calling hundrets and thousands of users especially with broken clients like a iPhone and explain them what to do to change the port in a perfect world i would even close port 25 from the WAN because the MX is a dedicated spam-firewall, but as said above this world exists mostly only if you are a startup with no existing customers > i really just discourage use of permit_mynetworks altogether if you are not stupid enough to add a /24 network there it is pretty fine you do not want to pass every internal server sending a system-message to check_recipient_access which may be a spam-filter
signature.asc
Description: OpenPGP digital signature
