>> The way is set and working now: >> >> listen on lo inet4 port 25 tls-require hostname mail mask-source tag lo > `tls-require` on `lo` is a bit strange… `mask-source` too.
Of course it is, [ tls-require ] at least. That is now removed thus. [ mask-source ] for lo/127.0.0.1 is perhaps a little silly indeed but it does not cause any harm I suppose. >> listen on lo inet4 port 587 smtps hostname mail mask-source tag lo >> listen on eth0 inet4 port 25 tls-require auth hostname mail mask-source tag >> lan > Do you intend to receive mail from other mail servers? Because using > `auth` here will prevent that. `tls-require` likely too in my experience > (unfortunately a lot of mail providers still don’t use TLS at all). Also > I’m not sure `mask-source` is relevant here, but I might be wrong. eth0 ports 25/587 are only for lan clients and those are supporting TLS/SMTPAUTH For receiving from WAN there are: listen on eth0 inet4 port 40025 tls hostname foo.bar tag wan listen on eth0 inet4 port 40587 smtps hostname foo.bar tag wan On the WAN iface the netfilter rules are forwarding WAN ports 25/587 to the smtpd server ports 40025/40587 with the smtpd server deployed in an unprivileged LXC container. > >> listen on eth0 inet4 port 587 smtps auth hostname mail mask-source tag lan >> listen on lo port 10028 mask-source tag DKIM >> >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 >> accept from local for any relay >> accept from source 172.25.120.2 for any relay > Those last two lines are useless: everything that would match them will > already have matched one of the first two. > Yes, the other list subscriber Reio kindly pointed that one out too, and those two lines were purged meantime. -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
