Marco:
> Hello.
>
> I have a small security concern with my external SMTP server:
>
> >220 mail.marcobaldo.ch ESMTP
> <ehlo localhost
> >250-iprovider.dmz.marcobaldo.ch
> >250-PIPELINING
> >250-SIZE
> >250-ETRN
> >250-STARTTLS
> >250-ENHANCEDSTATUSCODES
> >250-8BITMIME
> >250 DSN
>
> As you see smtpd_banner has been changed to reflect the MX records. Is
> there any way of changing the host name sent in the 250 ehlo answer
> without having to modify the definition of "myhostname", I would prefer
> to keep identical to the internal DNS name?
Postfix names, as seen on the external network, should be consistent
with the external world's view of DNS.
- The MTA name in Postfix SMTP server responses (banner, ehlo, etrn, quit, ...)
- The MTA name in Postfix SMTP client EHLO commands
- The MTA name in Postfix delivery status notifications.
- Whatever else leaks the MTA name.
You can add per-daemon overrides in master.cf, but it gets complicated,
and it breaks some of the loop detection safety mechanisms.
It may be easier to use a separate MTAs for separate roles: one
"bastion" MTA that is exposed to the outside, one "mailhub" MTA
that is exposed to the inside, with mail forwarding between them.
Standard firewall setup.
Wietse
