Hi Matus, Thanks for the idea below. I'm going to try wrapping them in $mua in main.cf .
However, you said; "Looking at your smtpd_recipient_restrictions and using reject_rbl_client, you need to override them too." I really didn't get this, by "overriding" could you explain further please where I made a mistake? Regards. Matus UHLAR - fantomas via Postfix-users <postfix-users@postfix.org>, 5 Şub 2024 Pzt, 15:15 tarihinde şunu yazdı: > On 04.02.24 22:06, Mark via Postfix-users wrote: > >->"Best practice is to require submission users sending outbound mail do > so > >via ports 465 and/or 587." > > > >Indeed here, I'm able to connect my smtp service *only* through; > >port 465 - SSL only > >port 587 - TLS only > > > >Authentication/login is not enabled on port 25, > >however port 25 is still open for worldwide communication, as usual. > > > >I have: > > > >smtp inet n - y - - smtpd > >submission inet n - y - - smtpd > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_tls_auth_only=yes > > -o smtpd_sender_restrictions=permit_sasl_authenticated,reject > > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > > > >smtps inet n - y - - smtpd > > -o smtpd_tls_wrappermode=yes > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_sender_restrictions=permit_sasl_authenticated,reject > > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > > > >I don't really *deeply* know how safe I go with my master settings above.. > >Anything absurd? > > > I use these two for submission/submissions in master.cf > > -o smtpd_client_restrictions=$mua_client_restrictions > -o smtpd_helo_restrictions=$mua_helo_restrictions > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > > where main.cf contains: > > mua_client_restrictions = permit_sasl_authenticated, check_client_access > static:{530 5.7.0 Authentication Required.} > mua_helo_restrictions = > > which means: > - unauthenticatec clients get error "530 5.7.0 Authentication Required." > - completely no HELO restrictions > - senders and recipients are handled the same way for internal and > external > clients, we have some banned domains who stopped providing mail service > > > >But I guess most of my rules are happening in main.cf, which is listed > here; > > > >https://pastebin.mozilla.org/i5tMtPAk > > > looking at yout smtpd_recipient_restrictions and using reject_rbl_client, > you need to override them too. > I have moved those to postscreen and only use like nonexistent domains, > users, banned domains described above > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > A day without sunshine is like, night. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org