[pfx] Re: Adjusting smtpd_recipient_restrictions

Mon, 05 Feb 2024 04:47:21 -0800 

Hi Matus,

Thanks for the idea below. I'm going to try wrapping them in $mua in main.cf
.

However, you said;

"Looking at your smtpd_recipient_restrictions and using reject_rbl_client,
you need to override them too."

I really didn't get this, by "overriding" could you explain further please
where I made a mistake?

Regards.


Matus UHLAR - fantomas via Postfix-users <postfix-users@postfix.org>, 5 Şub
2024 Pzt, 15:15 tarihinde şunu yazdı:

> On 04.02.24 22:06, Mark via Postfix-users wrote:
> >->"Best practice is to require submission users sending outbound mail do
> so
> >via ports 465 and/or 587."
> >
> >Indeed here, I'm able to connect my smtp service *only* through;
> >port 465 - SSL only
> >port 587 - TLS only
> >
> >Authentication/login is not enabled on port 25,
> >however port 25 is still open for worldwide communication, as usual.
> >
> >I have:
> >
> >smtp      inet  n       -       y       -       -       smtpd
> >submission inet n       -       y       -       -       smtpd
> >  -o smtpd_sasl_auth_enable=yes
> >  -o smtpd_tls_auth_only=yes
> >  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
> >  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> >  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> >
> >smtps     inet  n       -       y       -       -       smtpd
> >  -o smtpd_tls_wrappermode=yes
> >  -o smtpd_sasl_auth_enable=yes
> >  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
> >  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> >  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> >
> >I don't really *deeply* know how safe I go with my master settings above..
> >Anything absurd?
>
>
> I use these two for submission/submissions in master.cf
>
>    -o smtpd_client_restrictions=$mua_client_restrictions
>    -o smtpd_helo_restrictions=$mua_helo_restrictions
>    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>
> where main.cf contains:
>
> mua_client_restrictions = permit_sasl_authenticated, check_client_access
> static:{530 5.7.0 Authentication Required.}
> mua_helo_restrictions =
>
> which means:
> - unauthenticatec clients get error "530 5.7.0 Authentication Required."
> - completely no HELO restrictions
> - senders and recipients are handled the same way for internal and
> external
>    clients, we have some banned domains who stopped providing mail service
>
>
> >But I guess most of my rules are happening in main.cf, which is listed
> here;
> >
> >https://pastebin.mozilla.org/i5tMtPAk
>
>
> looking at yout smtpd_recipient_restrictions and using reject_rbl_client,
> you need to override them too.
> I have moved those to postscreen and only use like nonexistent domains,
> users, banned domains described above
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> A day without sunshine is like, night.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to