Hi Victor, Thanks so much for very useful and informative reply and opinions, much appreciated!
I'm using Postfix 3.7.9 (with Dovecot through LMTP, and virtual users in MySQL). Regarding 'smtpd_relay_before_recipient_restrictions', I don't have it explicitly set in main.cf, it's as the default. Is it better to list reject_unauth_destination after; permit_mynetworks, permit_sasl_authenticated, Or before these? And why? And finally, here are my helo and sender restrictions; smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit You might wish to give your opinions on these above as well? I'm trying to be as restrictive as possible, against haux&pseudo hostnames/helo attempts, spammers and attackers. Many thanks, Much regards. Mark. 2 Şubat 2024 Cuma tarihinde Viktor Dukhovni via Postfix-users < [email protected]> yazdı: > On Fri, Feb 02, 2024 at 08:26:20AM +0300, Mark via Postfix-users wrote: > > > I'm trying to adjust my smtpd_recipient_restrictions so that any emails > > coming to a non-existent account on my server would be rejected BEFORE > the > > attempt reaches RBLs/RBL queries. > > If you're using Postfix 3.6 or later, you probably have a "yes" setting > for: > > smtpd_relay_before_recipient_restrictions = ${{$compatibility_level} > <level {3.6} ? {no} : {yes}} > > which means, that your relay restriction would already reject mail to > unauthorised destinations, obviating the need for > "reject_unauth_destination" in: > > ... > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > ... > > in the list of rules for smtpd_recipient_restrictions (provided you've > not "cleared" your relay restrictions). > > But of course a belt-and-suspenders approach is harmless and in this > case also cheap to check. > > > Thus, before I activate my settings, I wanted to ask for your opinions, > so > > here how it goes; > > > > smtpd_recipient_restrictions = > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_non_fqdn_helo_hostname, > > reject_invalid_helo_hostname, > > reject_unlisted_recipient, > > permit_mynetworks, > > permit_sasl_authenticated, > > reject_unauth_destination, > > reject_rbl_client zen.spamhaus.org=127.0.0.[2..11], > ... > > This looks fine. > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
