> On 2020-06-12 08:57, Jeroen Geilman wrote:
- too many errors after .* from .* - warning: non-SMTP command from .* While these do indicate badly-behaved clients, there is no reason to assume evil intent.
who would send non-SMTP command to a mailserver. I usually see commands such as GET /
- reject: RCPT from .* Recipient address rejected: User unknown in local recipient table; .*' This rejection is per-recipient; blocking this *client* because they mis-typed a single address means you /will/ reject valid email later on.
OK, I see. But I am blocking for 1 hour only anyway.
- lost connection after STARTTLS What if the client could not match the server version or ciphers, and has to disconnect to try plain SMTP again ? There is no down-step after STARTTLS.
ok I see. But, on the other hand, who is still sending plaintext these days? And why can't legitimate client use reasonable ciphers? I think my settings are not so strict. I believe am using recommendations from this mailing list: smtpd_tls_ciphers = medium smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
