On 14/05/2023 01:09, Tom Reed via Postfix-users wrote: >> On Sat, May 13, 2023 at 06:51:30PM +0800, Tom Reed via Postfix-users >> wrote: >> >>> Can I setup only port 25 open to the world? If port 465/587 are filtered >>> by iptables which only permit internal users to connect, does this make >>> sense to external MTAs (such as google, MS's)? >> You do not need to expose ports other than 25 to outside sources (you >> don't have to operate anything on those ports except as needed by your >> own users). >> >> For the blocked ports, your firewall should typically reply with a TCP >> RST, rather than just drop packets. This could at least be useful on >> the "ident" port: >> > Hello, > > So this iptables should work? > > /usr/sbin/iptables -F > /usr/sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT > # my networks as follows > /usr/sbin/iptables -A INPUT -p tcp -s 20.127.91.0/24 -j ACCEPT > # reject other ports than 25 > /usr/sbin/iptables -A INPUT -p tcp --dport 993 -j REJECT --reject-with > tcp-reset > /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with > tcp-reset > /usr/sbin/iptables -A INPUT -p tcp --dport 465 -j REJECT --reject-with > tcp-reset > /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j REJECT --reject-with > tcp-reset > FWIW, I would have said accept from the world port 25, with a global reject of EVERYTHING else.
It is the "default deny" security stance: expressly allow ONLY the ports you want "them" to see. Regards Allen C _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
