Re: smtpd_client_restrictions break connection immediately after connect
ram wrote: On one of my servers I have put in main.cf smtpd_client_restrictions = permit_mynetworks,reject Because I want only my internal servers to use this machine as a relay. This works as expected , but when connections come from outside mynetworks the Error comes only after RCPT TO: For rejections within SMTP, this is the safest approach, and in Postfix it is the result of the smtpd_delay_reject setting, which is normally yes (with modern Postfix) to prevent problems. Before you change that, you need to understand how both normal and common but pathological SMTP clients respond to different sorts of failure when they are trying to send mail. As Viktor noted, you should make sure that any public hostname resolving to the address that port 25 listener uses has a functionally null MX record, rather than no MX record at all. That will stop connections from well-meaning normal outsiders who are trying to deliver mail (presumably mis-addressed) to [EMAIL PROTECTED] but it won't prevent the less likely case of an innocent SMTP client trying to pass along mail to [EMAIL PROTECTED] or less innocent sorts of probing. A 550 response at RCPT (and at ensuing DATA commands for pathological clients) is the most reliable way to reject an attempted SMTP transaction in a manner that will be treated by virtually all clients as a true permanent failure for that message. Rejections in-protocol at earlier steps and/or by dropping the TCP connection will be treated by some clients as fodder for retries, sometimes at obnoxious rates. This is one practical lesson of the past dozen years of attempts to cope with spam. Can I just not give an error AND close the connection immediately after connect rather than wait for RCPT TO: Why accept the connection at all?
Re: smtpd_client_restrictions break connection immediately after connect
ram пишет: On one of my servers I have put in main.cf smtpd_client_restrictions = permit_mynetworks,reject Because I want only my internal servers to use this machine as a relay. This works as expected , but when connections come from outside mynetworks the Error comes only after RCPT TO: Can I just not give an error AND close the connection immediately after connect rather than wait for RCPT TO: Yes, you can. See http://www.postfix.org/postconf.5.html#smtpd_delay_reject It is on by default, so postfix delays reject until RCPT TO; if you turn off that parameter, it will reject immediatly. But, not all mail software understand that early reject properly, so be warned. Nikita
Re: smtpd_client_restrictions break connection immediately after connect
http://www.postfix.org/postconf.5.html#smtpd_delay_reject more to say, even better is to block external connections with firewall
Re: smtpd_client_restrictions break connection immediately after connect
Victor Duchovni пишет: Consider setting a null-mx record for the system's host name: ahost.example.com IN MX 0 . As I understand things, it simply forces a 'fallback to A record', like when there is no MX records... Can you please explain, why this is needed?
Re: smtpd_client_restrictions break connection immediately after connect
On Tue, Oct 14, 2008 at 12:13:39PM +0400, Nikita Kipriyanov wrote: Yes, you can. See http://www.postfix.org/postconf.5.html#smtpd_delay_reject It is on by default, so postfix delays reject until RCPT TO; if you turn off that parameter, it will reject immediatly. But, not all mail software understand that early reject properly, so be warned. If the host is an MX host for any domains, don't reject at connect time, otherwise, go ahead. Consider setting a null-mx record for the system's host name: ahost.example.com IN MX 0 . -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
