On 23 January 2018 at 04:20, Noel Jones wrote:
> Strong spam indicators for the HELO are
> (note: this is for mail coming from the internet. Authenticated
> submission mail or legit mail from devices on your network might
> break any of these)
> - a dynamic hostname (eg. 89-73-46-234.dynamic.chel
On 1/22/2018 8:36 PM, J Doe wrote:
>>> smtpd_helo_required = yes
>>> smtpd_helo_restrictions = permit_mynetworks,
>>>reject_unauth_pipelining,
>>>reject_invalid_helo_hostname,
>>>reject_non_fqdn_helo_hostname,
>>>check_helo_access hash:/etc/postfix/helo_acl,
>>>reject_unknow
Replies in the middle of the email for clarity.
On Mon, 22 Jan 2018 17:18:42 -0500
"Bill Cole" wrote:
> On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote:
>
> > The reverse DNS can only point to one domain
> > name.
>
> Not so. Multiple PTR records for one address may violate some
Hi,
> On Jan 22, 2018, at 8:43 AM, Matus UHLAR - fantomas wrote:
>
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = permit_mynetworks,
>>reject_unauth_pipelining,
>> reject_invalid_helo_hostname,
>>reject_non_fqdn_helo_hostname,
>>check_helo_access hash:/etc/postfix/he
Hi Noel,
> On Jan 21, 2018, at 3:35 PM, Noel Jones
>> smtpd_client_restrictions = permit_mynetworks,
>>reject_unauth_pipelining,
>>check_client_access hash:/etc/postfix/client_acl,
>>reject_unknown_client_hostname,
>>permit
>
> reject_unknown_client_hostname is likely to rej
On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote:
The reverse DNS can only point to one domain
name.
Not so. Multiple PTR records for one address may violate some people's
expectations, but it's not wrong if the address doesn't really have a
public name that is more "real" than t
On 22 Jan 2018, at 15:31, Viktor Dukhovni wrote:
> On Jan 22, 2018, at 2:43 AM, DTNX Postmaster wrote:
>
>>> A "real" certificate is useful if you have customers connecting to
>>> your server as a submission service. While self-signed certs work
>>> fine for that purpose too, sometimes it's eas
> On Jan 22, 2018, at 10:06 AM, Danny Horne wrote:
>
> Private CA sounds interesting, will have to read up about it
You can get away with a lot less complexity than the usual OpenSSL CA.
See, for example:
https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh
which
On 21/01/2018 9:35 pm, Viktor Dukhovni wrote:
>
> Indeed stick with what you've got. You could (if not intimidated by the
> logistics, but we may have more tools for you in this space soonish) also
> implement a private CA that signs your no-longer self-signed server cert.
> This makes it possible
On 2018-01-20 16:08, Joris (ideeel) wrote:
> hi list
>
> I run a webservice (and a mail service). All websites run under the
> same UID of apa...@webserver.domain.com. I know, not ideal, but i
> cannot change that bit. Problem is that if one site gets hacked, user
> apache starts sending spam with
> On Jan 22, 2018, at 2:43 AM, DTNX Postmaster wrote:
>
>> A "real" certificate is useful if you have customers connecting to
>> your server as a submission service. While self-signed certs work
>> fine for that purpose too, sometimes it's easier to avoid talking
>> folks into how to import you
On 21.01.18 00:56, J Doe wrote:
I have a basic SMTP server set up with what I believe to be good smtpd_*_
restrictions, but I was wondering if anyone could provide any insight on
how to improve them or if I have been redundant in the restrictions. Even
with reading the man pages, I find some of
12 matches
Mail list logo
