Hi again Viktor, ->"Best practice is to require submission users sending outbound mail do so via ports 465 and/or 587."
Indeed here, I'm able to connect my smtp service *only* through; port 465 - SSL only port 587 - TLS only Authentication/login is not enabled on port 25, however port 25 is still open for worldwide communication, as usual. I have: smtp inet n - y - - smtpd submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject I don't really *deeply* know how safe I go with my master settings above.. Anything absurd? But I guess most of my rules are happening in main.cf, which is listed here; https://pastebin.mozilla.org/i5tMtPAk I've learned a lot from your replies, much grateful! Thank you, Mark. Viktor Dukhovni via Postfix-users <postfix-users@postfix.org>, 4 Şub 2024 Paz, 19:14 tarihinde şunu yazdı: > On Sun, Feb 04, 2024 at 01:22:45PM +0200, Mark via Postfix-users wrote: > > > Is it better to list reject_unauth_destination after; > > > > permit_mynetworks, > > permit_sasl_authenticated, > > > > Or before these? And why? > > Best practice is to require submission users sending outbound mail do so > via ports 465 and/or 587. If also the MTA instance in question is *not* > a "smarthost" outbound relay for some set of "internal" machines > authorised by IP address, then you simply don't need either of: > > permit_mynetworks, > permit_sasl_authenticated > > instead, the simplest setting of "smtpd_relay_restrictions" can be > > smtpd_relay_restrictions = reject_unauth_destination > > If however some "trusted IP" clients or some "authenticated" users are > using port 25 to send outbound mail, then you need to add either or both > of: > > permit_mynetworks, > permit_sasl_authenticated > > *before* rejecting mail for external domains. > > > And finally, here are my helo and sender restrictions; > > > > smtpd_helo_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > reject_invalid_helo_hostname, > > reject_non_fqdn_helo_hostname, > > permit > > > > smtpd_sender_restrictions = > > reject_non_fqdn_sender, > > reject_unlisted_sender, > > permit_mynetworks, > > permit_sasl_authenticated, > > reject_unknown_sender_domain, > > permit > > > > You might wish to give your opinions on these above as well? > > Whatever works for you, so long as you understand what these do, > and these meet your goals. The main thing is to configure > separate rules for port 25 and (via master.cf overrides) for > submission on port 465 and 587. I have: > > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_sasl_auth_enable=yes > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > -o smtpd_recipient_restrictions= > -o smtpd_data_restrictions= > -o smtpd_end_of_data_restrictions= > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_milters=$mua_milters > -o always_add_missing_headers=yes > -o header_checks=$submit_header_checks > -o body_checks= > > > I'm trying to be as restrictive as possible, against haux&pseudo > > hostnames/helo attempts, spammers and attackers. > > Best to go with: as restrictive as reasonably practical. Some junk will > get through, that's OK, provided it does not drown users in in a torrent > of spam, dominating legitimate mail. > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org