Hi, >> What is the optimal configuration (local.cf or other) for an ISP's >> MSAs to prevent unauthenticated dynamic-IP customers from triggering >> dynamic tests, but still benefiting from general filtering? >> >> I was hoping for a magical 'mua_networks' option, which let me >> enumerate the IP space that my users submit from, and automatically >> exempt them from DOS_OE_TO_MX, etc., but I haven't been able to find >> anything like that.
I've added ranges of networks to $mynetworks in postfix, effectively making them a trusted relay, but their IPs still shift quite frequently of course, so it's not a very good solution. Maybe an option would be to create another postfix instance to skip scanning altogether based on pop-before-smtp auth or something? I don't believe TLS would help here either, right? It would be nice, but it only supports encryption and not authentication on Outlook clients, right? The real solution to this is smtp-auth, which is the way Google does it, right? > All dynamic rules look at external relays. So if you have SA on the relay > that accepts mail from dynamic space, you need to include all that in > internal_networks and disable ALL_TRUSTED since it would always hit. Yes, and due to the nature of dynamic being dynamic, it's a real challenge. Any suggestions on how to populate that with trusted information, then? Thanks, Alex
