Am 23.12.2014 um 15:03 schrieb Tomas Macek:
Tomas Macek:
Hello, I'm trying to prevent my testing postfix installation 2.8.4 from
being
abused by emails that will go to the root@localhost email address.
I found out that it receives these messages accindetally, when I
tested my configuration.
The root@localhost must be accessible, when the mail comes from
localhost
machine and not be accessible from the rest of the world - that's clear.
My server will receive email from many virtual domains.
I believe the right cfg place is smtpd_recipient_restrictions where I
have
this:
smtpd_recipient_restrictions = permit_mynetworks,
check_recipient_access
This allows all mail from local networks.
http://www.postfix.org/postconf.5.html#permit_mynetworks
http://www.postfix.org/postconf.5.html#mynetworks
2) when I came from outside world, the restriction worked:
but when I came from 127.0.0.1, the mail was received - why exactly? But
Because of permit_mynetworks/mynetworks.
Many thanks to all of you guys!
But I have still one question...
What about if I'd would prefer to receive the mail for root@localhost
from just localhost and not from other places? = not from the rest of
mynetworks, not from outside of mynetworks - does this have any sense to
setup such a configuration? Is there any possibility to have sucha a
configuration?
it *may* make sense but is questionable and may lead in more complex
setups than one wants if it comes to troubleshooting or a new tech stuff
needs to understand the setups
that's one reason why we *strictlyÜ split inbound MX on a own machine
doing all the filtering and hand over clean messages via SMTP to the
real mailserver
in that case you can have there completly different rules and blacklist
all sorts of internal addresses because you know that mailflow comes
from the outside - there also you can apply a large amount of HELO/PTR
rules, RBLs, SPF and what not else because you can expect only MTA's try
to deliver mail and any sign of a ordianry mail-client is a clear reject
(a MUA has to use his submission server, if not it's mostly a botnet
zombie deliver spam/malware)
that way you can have different rules for "mynetworks" as well as forbid
own domains as envelope while mail from the submission server relays to
the outside world and store messages for your own domains without touch
the MX
