On Fri, Sep 04, 2015 at 09:44:50AM +0200, Tomas Macek wrote:
> Here is the result cfg:
>
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=smtp-amavis:[127.0.0.1]:10024
> -o syslog_name=submission
> -o receive_override_options=no_header_body_checks
> -o smtpd_tls_security_level=may
Why "may", rather than "encrypt"?
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o
> smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/block_localhost,check_policy_service,inet:127.0.0.1:24575,permit_mynetworks,permit_sasl_authenticated,reject
Why not set this to "$mua_recipient_restrictions", and define the
latter in main.cf?
> The "check_policy_service,inet:127.0.0.1:24575" is per client IP counter,
> that counts how many emails were sent by particular IP address in last X
> seconds. It sometimes helps to report misused client and/or password and
> some other things. Maybe this should be added rather to the
> smtpd_client_restrictions?
Client IPs are not so interesting in botnets, much better to
aggregate by SASL login name (and rate limit potentially compromised
accounts).
--
Viktor.
