On 23/05/24 19:02, Jaroslaw Rafa via Postfix-users wrote:
In addition I can add one idea: I have had quite a success with a policy server that rejects all connections on submission ports IF it doesn't find a currently established IMAP session from the same IP address. All "normal" mail clients (at least the ones that I saw) first establish an IMAP session with the server, and then try to authenticate with SMTP when the user wants to actually send mail. And I see much, much less attacks (authentication attempts) on IMAP service than on SMTP. So it works for me.
That's a good idea, but I would make one modification, have it allow any connection that hasn't had a corresponding IMAP (or POP3 if applicable) connection in the past hour.
Do note that if you have clients that submit but don't read mail themselves then this will cause issues, an example of such being a null client such as submitting mail from a server.
Also this should *not* be a substitute for SASL AUTH, but rather an added check.
Peter _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
