On Sun, 21 Jan 2018 14:35:42 -0600 Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 1/20/2018 11:56 PM, J Doe wrote: > > Hi, > > > > I have a basic SMTP server set up with what I believe to be good > > smtpd_*_ restrictions, but I was wondering if anyone could provide > > any insight on how to improve them or if I have been redundant in > > the restrictions. Even with reading the man pages, I find some of > > the restrictions tricky. > > > > I am eventually having a submission service (with an -o > > smtpd_relay_restrictions=permit_sasl_authenticated in master.cf), > > for this server but right now what follows is just for a SMTP > > server on port 25. > > > > smtpd_client_restrictions = permit_mynetworks, > > reject_unauth_pipelining, > > check_client_access hash:/etc/postfix/client_acl, > > reject_unknown_client_hostname, > > permit > > reject_unknown_client_hostname is likely to reject legit mail. Use > with caution. > > Consider instead using reject_unknown_reverse_client_hostname, which > rejects clients with no PTR record. This is similar to what many > large providers do and is fairly low risk. > > The "permit" at the end is unnecessary, but doesn't break anything. > Same with all the other "permit" in restrictions below. > > > > > smtpd_helo_required = yes > > smtpd_helo_restrictions = permit_mynetworks, > > reject_unauth_pipelining, > > reject_invalid_helo_hostname, > > reject_non_fqdn_helo_hostname, > > check_helo_access hash:/etc/postfix/helo_acl, > > reject_unknown_helo_hostname, > > permit > > reject_unknown_helo_hostname is likely to reject legit mail. Use > with caution. > > > > -- Noel Jones > > > > > smtpd_sender_restrictions = permit_mynetworks, > > reject_unauth_pipelining, > > reject_non_fqdn_sender, > > check_sender_access hash:/etc/postfix/sender_acl, > > reject_unknown_sender_domain, > > permit > > > > smtpd_recipient_restrictions = permit_mynetworks, > > permit_auth_destination, > > > > reject > > > > > > > > smtpd_relay_restrictions = > > permit_mynetworks, > > permit_auth_destination, reject > > > > Thanks, > > > > - J > > > Doing some reading on the PTR record, I believe I've have been doing my MX record incorrectly. The reverse DNS can only point to one domain name. If you are hosting multiple domains on one server, all MX records should point to the domain name that has the PTR record. For example, suppose the "main" domain of the server is example.com. In this case, example.com has the PTR record. If you also host something.com at the same IP address, the MX record for something.com should point to example.com, not something.com. https://serverfault.com/questions/158828/ptr-record-rdns-for-multiple-domains-on-a-shared-ip-address Is my interpretation correct? As an aside, note the superfluous "permit" shows up in many guides online, but not all of them. I experimented dropping the extra permit and things worked, but put them back in anyway out of paranoia. I'm going to drop them now.
