On Fri, Sep 04, 2015 at 09:44:50AM +0200, Tomas Macek wrote: > Here is the result cfg: > > submission inet n - n - - smtpd > -o smtpd_etrn_restrictions=reject > -o smtpd_sasl_auth_enable=yes > -o content_filter=smtp-amavis:[127.0.0.1]:10024 > -o syslog_name=submission > -o receive_override_options=no_header_body_checks > -o smtpd_tls_security_level=may
Why "may", rather than "encrypt"? > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o > smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/block_localhost,check_policy_service,inet:127.0.0.1:24575,permit_mynetworks,permit_sasl_authenticated,reject Why not set this to "$mua_recipient_restrictions", and define the latter in main.cf? > The "check_policy_service,inet:127.0.0.1:24575" is per client IP counter, > that counts how many emails were sent by particular IP address in last X > seconds. It sometimes helps to report misused client and/or password and > some other things. Maybe this should be added rather to the > smtpd_client_restrictions? Client IPs are not so interesting in botnets, much better to aggregate by SASL login name (and rate limit potentially compromised accounts). -- Viktor.