Am 30.11.2012 11:12, schrieb Tomas Macek: > On Fri, 30 Nov 2012, lst_ho...@kwsoft.de wrote: > >> >> Zitat von Tomas Macek <ma...@fortech.cz>: >> >>> I don't understand now, how Postfix behaves when listenting on >>> submission port 587. >>> Our mailserver is sometimes overloaded on port 25, so we want to use >>> postscreen. But I don't understand, how Postfix works when it's >>> stressed on port 587, when spammers connect to that opened port and >>> want send their "emails". In document >>> http://www.postfix.org/STRESS_README.html there is: >>> >>> NOTE: To avoid "overload" delays for end-user mail clients, enable >>> the "submission" service entry in master.cf (present since Postfix >>> 2.1), and tell users to connect to this instead of the public SMTP >>> service. >>> >>> Should this mean, that Postfix by default does not use counters like >>> smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on >>> sumission port? On this port I would prefer using some kind of smtp >>> auth and this port should be world accessible to allow the clients >>> using other networks to authenticate and send emails. >>> >> >> Port 587 is by default nothing special for Postfix because it is >> mostly a clone of the Port 25 service. The *intended* difference is >> that Port 587 should only accept mail by authenticated users, so no >> chance for spammers if they don't own valid credentials. To actually >> see the difference between Port 25 and Port 587 settings you have to >> compare the entries in master.cf. >> >> Regards >> >> Andreas >> > > OK, so there is a chance for spammers to overload the server using > submission port 587 (the server says then "service "smtp" (25) has > reached its process limit "200"") by exhausting number of available > ports and the MUA clients then can have also problems to send their > emails? I'm I right? > If I'm, then I don't understand, why to split the processes into > submission 587 and normal 25, because if the MUA client send the mail > through 25 (hope with postscreen), there is a chance that the 25 is not > overloaded (because it uses postscreen) and he will be rather > able to send his email compared to 587. > Or I don't still understand something ... :-) > > Andreas: sorry for my direct answer to you, my mistake > > Tomas
you dont want to use postscreen with your valid user , therefor use submission port with auth and tls them, if problems with limits ,do higher it etc i general whenever a port is open public, there is a chance to fire on it, avoiding this is i.e a firewall job Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
