On 2022-03-04 at 03:55:54 UTC-0500 (Fri, 4 Mar 2022 10:55:54 +0200)
Nikolaos Milas <nmi...@noa.gr>
is rumored to have said:
> On 4/3/2022 10:22 π.μ., Matus UHLAR - fantomas wrote:
>> ...
>> Other solution would of course be disabling SMTP connections from the world.
>> ...
>
> Thank you Matus for all your advice.
>
> Regarding blocking port 25 from the world, couldn't it cause issues when
> communicating to other SMTP servers since this is our SMTP server (for
> outgoing mail)?
No. Port 25 is only used for incoming SMTP cconnections. When your server sends
mail, it uses an ephemeral high port number for the local end and connects to
port 25 on the receiving server. If you do not accept mail directly from the
world at large, you do not need to accept connections from the world on port 25.
> Of course, users connect to port 587 to send mail, but aren't there any
> scenarios when the server needs to be contacted directly by other SMTP
> servers around the world? For example, if a remote server wants to send a
> non-deliverable notification for a mail it received from our server
> (vmail2.noa.gr) will it *always* check our zone MX records to reply using the
> mail gateway servers rather than replying directly to the source?
Right now, vmail2.noa.gr has no MX record and the IPv4 address for it (which is
what would be used without any MX) is not accepting connections on port 25, so
I'm not 100% sure how that relates to this, i.e. it looks like you're already
dropping port 25 traffic inbound. So, I'm not sure that I understand the
question correctly...
NDNs are sent to the envelope sender ("Return-Path") of the original message.
For one-to-one mail that is almost always the same as the From header of a
message. In some cases (mailing lists and mail forwarded by servers that do SRS
to protect messages from SPF rejection) the envelope sender may use the domain
name of the mail server doing the forwarding, in which case the best practice
is to have a MX record for that name. With Postfix, the name that the server
uses for mail generated locally is $myorigin, which can be any valid name that
works and defaults to $myhostname, which defaults to whatever the system call
gethostname() returns, qualified with ".$mydomain" if necessary. NDNs generated
by Postfix (or any MTA) use a null envelope sender, so they are not a problem.
IN SHORT: Unless you are doing something which rewrites the envelope sender of
mail with the hostname of the server, that server does not need to accept mail
on port 25 from the world at large.
> If it's operationally safe, I'd rather block port 25 from outside on this
> server (using iptables).
It looks like you are doing that now. It is almost certainly safe for a system
where inbound mail is coming through a gateway to which your MX records point.
It is also safe, and considered a best practice, to disable authentication on
port 25 because authenticated mail should be coming in on port 587 or 465.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
