On Tue, Mar 24, 2026 at 08:26:32AM +0000, Sad Clouds via Postfix-users wrote:
> These days it is common to restrict port 25 to mail relay and port 587
> to submission. Because submission is only used by authenticated
> clients, I think many Postfix restriction could be relaxed for MUAs,
> but I'm not sure of the best practices.
The stock master.cf file contains a commented out sensible starting
point:
# Choose one: enable submission for loopback clients only, or for any
client.
#127.0.0.1:submission inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_forbid_unauth_pipelining=no
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_hide_client_session=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
to this I might add:
# -o smtpd_data_restrictions=
# -o smtpd_end_of_data_restrictions=
Which then ends up being just "permit_sasl_authenticated, reject" and no
other controls.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
