> On Sat, May 13, 2023 at 06:51:30PM +0800, Tom Reed via Postfix-users > wrote: > >> Can I setup only port 25 open to the world? If port 465/587 are filtered >> by iptables which only permit internal users to connect, does this make >> sense to external MTAs (such as google, MS's)? > > You do not need to expose ports other than 25 to outside sources (you > don't have to operate anything on those ports except as needed by your > own users). > > For the blocked ports, your firewall should typically reply with a TCP > RST, rather than just drop packets. This could at least be useful on > the "ident" port: >
Hello, So this iptables should work? /usr/sbin/iptables -F /usr/sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT # my networks as follows /usr/sbin/iptables -A INPUT -p tcp -s 20.127.91.0/24 -j ACCEPT # reject other ports than 25 /usr/sbin/iptables -A INPUT -p tcp --dport 993 -j REJECT --reject-with tcp-reset /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with tcp-reset /usr/sbin/iptables -A INPUT -p tcp --dport 465 -j REJECT --reject-with tcp-reset /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j REJECT --reject-with tcp-reset Thank you again. regards Tom _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
