On Tue, May 11, 2021 at 07:38:18PM +0300, IL Ka wrote: > If no, then you should use SASL to auth the client. > Be sure to force TLS ( smtpd_tls_auth_only) in this case. > You can also enable client certificate verification (see TLS_README) to > make the system even more secure. > Also, use "smtpd_sender_login_maps" to make sure client uses only allowed > "From". > > Some untrusted clients should never send email anywhere except one/two > well-known addresses. > This could be done with regex-based virtual(5), and it could be convenient > to configure it on the separate server not to pollute your MTA. > > There are some "dumb" SMTP clients that can't use SMTP AUTH nor TLS. If you > want such client to be connected to your MTA via the public Internet, > then you have to install "relayhost" for it
This is all very helpful! And it gives us a lot of good ideas for further locking down this smart host, should we decide to implement it. Thanks, Bryan
