On 20/1/2012 12:55 μμ, Charles Marcus wrote:
# reject all clients not matching anything above, and be damn sure
# to comment out the last reject under recipient_restrictions
#
0.0.0.0/0 reject unauthorized client, please use our MX
You mean to remove "reject" from *smtpd_client_restrictions*, not from
smtpd_recipient_restrictions. So, if we would be using:
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr,reject
we should rather just use:
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr
Right?
why are you not only opening from the allowed addresses in
the packet-filter (iptables)? so you have no log-entries
from spammers all over the world and any protection should
generally happen as wide as possible before the service
I agree wholeheartedly and I do this as well, but I also believe in
multi-layered security, so I would *definitely* also lock it down in
postfix as above as well...
I agree that iptables-based filtering should be done as well.
But what about ::1 in the cidr table? Will it be OK??
Thanks,
Nick
