On Fri, Sep 04, 2015 at 09:44:50AM +0200, Tomas Macek wrote:

> Here is the result cfg:
> 
> submission inet n      -       n       -       -       smtpd
>         -o smtpd_etrn_restrictions=reject
>         -o smtpd_sasl_auth_enable=yes
>         -o content_filter=smtp-amavis:[127.0.0.1]:10024
>         -o syslog_name=submission
>         -o receive_override_options=no_header_body_checks
>         -o smtpd_tls_security_level=may

Why "may", rather than "encrypt"?

>         -o smtpd_client_restrictions=
>         -o smtpd_helo_restrictions=
>         -o smtpd_sender_restrictions=
>         -o 
> smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/block_localhost,check_policy_service,inet:127.0.0.1:24575,permit_mynetworks,permit_sasl_authenticated,reject

Why not set this to "$mua_recipient_restrictions", and define the
latter in main.cf?

> The "check_policy_service,inet:127.0.0.1:24575" is per client IP counter,
> that counts how many emails were sent by particular IP address in last X
> seconds. It sometimes helps to report misused client and/or password and
> some other things. Maybe this should be added rather to the
> smtpd_client_restrictions?

Client IPs are not so interesting in botnets, much better to
aggregate by SASL login name (and rate limit potentially compromised
accounts).

-- 
        Viktor.

Reply via email to