On 5/17/2022 9:14 AM, White, Daniel E. (GSFC-770.0)[AEGIS] wrote:
This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the sender and recipient restrictions.
Most of my restriction configs have permit_mynetworks first. There are only a few networks in the mynetworks list, and they are sources that I trust completely, so I have no problem with not running all the other checks for those sources. Exceptions: smtpd_helo_restrictions and smtpd_sender_restrictions. Those config items do have permit_myneworks, but it is not listed first.
I would argue that if you cannot completely trust a source, it should not be in your mynetworks list and probably should be authenticated before you allow it to use your server.
All of my satellite postfix configs (which are on the mynetworks list also) are authenticating and using the submission port to send mail through my mail server. Which means that they are bypassing most of the restrictions anyway.
Not an expert. I am curious to find out whether the experts agree with what I have said.
Thanks, Shawn
