On 1/20/2018 11:56 PM, J Doe wrote: > Hi, > > I have a basic SMTP server set up with what I believe to be good smtpd_*_ > restrictions, but I was wondering if anyone could provide any insight on how > to improve them or if I have been redundant in the restrictions. Even with > reading the man pages, I find some of the restrictions tricky. > > I am eventually having a submission service (with an -o > smtpd_relay_restrictions=permit_sasl_authenticated in master.cf), for this > server but right now what follows is just for a SMTP server on port 25. > > smtpd_client_restrictions = permit_mynetworks, > reject_unauth_pipelining, > check_client_access hash:/etc/postfix/client_acl, > reject_unknown_client_hostname, > permit
reject_unknown_client_hostname is likely to reject legit mail. Use with caution. Consider instead using reject_unknown_reverse_client_hostname, which rejects clients with no PTR record. This is similar to what many large providers do and is fairly low risk. The "permit" at the end is unnecessary, but doesn't break anything. Same with all the other "permit" in restrictions below. > > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, > reject_unauth_pipelining, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > check_helo_access hash:/etc/postfix/helo_acl, > reject_unknown_helo_hostname, > permit reject_unknown_helo_hostname is likely to reject legit mail. Use with caution. -- Noel Jones > > smtpd_sender_restrictions = permit_mynetworks, > reject_unauth_pipelining, > reject_non_fqdn_sender, > check_sender_access hash:/etc/postfix/sender_acl, > reject_unknown_sender_domain, > permit > > smtpd_recipient_restrictions = permit_mynetworks, > permit_auth_destination, > > reject > > > > smtpd_relay_restrictions = permit_mynetworks, > > permit_auth_destination, > > reject > > Thanks, > > - J >
