On Tue, 23 Dec 2014, li...@rhsoft.net wrote:
Am 23.12.2014 um 15:03 schrieb Tomas Macek:
> Tomas Macek:
> > Hello, I'm trying to prevent my testing postfix installation 2.8.4
> > from
> > being
> > abused by emails that will go to the root@localhost email address.
> > I found out that it receives these messages accindetally, when I
> > tested my configuration.
> > The root@localhost must be accessible, when the mail comes from
> > localhost
> > machine and not be accessible from the rest of the world - that's
> > clear.
> > My server will receive email from many virtual domains.
> >
> > I believe the right cfg place is smtpd_recipient_restrictions where I
> > have
> > this:
> >
> > smtpd_recipient_restrictions = permit_mynetworks,
> > check_recipient_access
>
> This allows all mail from local networks.
>
> http: //www.postfix.org/postconf.5.html#permit_mynetworks
> http: //www.postfix.org/postconf.5.html#mynetworks
>
> > 2) when I came from outside world, the restriction worked:
> > but when I came from 127.0.0.1, the mail was received - why exactly?
> > But
>
> Because of permit_mynetworks/mynetworks.
Many thanks to all of you guys!
But I have still one question...
What about if I'd would prefer to receive the mail for root@localhost
from just localhost and not from other places? = not from the rest of
mynetworks, not from outside of mynetworks - does this have any sense to
setup such a configuration? Is there any possibility to have sucha a
configuration?
it *may* make sense but is questionable and may lead in more complex setups
than one wants if it comes to troubleshooting or a new tech stuff needs to
understand the setups
that's one reason why we *strictly? split inbound MX on a own machine doing
all the filtering and hand over clean messages via SMTP to the real
mailserver
in that case you can have there completly different rules and blacklist all
sorts of internal addresses because you know that mailflow comes from the
outside - there also you can apply a large amount of HELO/PTR rules, RBLs,
SPF and what not else because you can expect only MTA's try to deliver mail
and any sign of a ordianry mail-client is a clear reject (a MUA has to use
his submission server, if not it's mostly a botnet zombie deliver
spam/malware)
that way you can have different rules for "mynetworks" as well as forbid own
domains as envelope while mail from the submission server relays to the
outside world and store messages for your own domains without touch the MX
Thank you for the explanation. I will stay at the standard cfg what was
mentioned before.
Mary Christmas to everyone!
Tomas
