On 4/6/2015 5:31 AM, Sebastian Nielsen <sebast...@sebbe.eu> wrote:
> IMHO I find it better to only allow submission from trusted nets.
So, you prefer to cripple your users by not allowing them to send email
when outside the office?
> Better to disable authentication completely, and completely disable mail
> submission ("relaying") from the "outside".
Better for who?
> Thus closing 587 completely.
Again, crippling your users...
> 465 can be good to allow old (or misconfigured) SMTPS servers to send
> incoming mail to you.
So, you'll allow the deprecated (and possibly slightly less secure) port
465, but not the current standard submission port (587)?
That doesn't make sense at all.
> By disabling authentication and ONLY allowing relaying from the "inside",
> you completely close the spam hole.
Ridiculous, it does no such thing. Spam doesn't originate from your own
server.
> If theres no possibility to submit mail from the "outside" at all, then
> theres nothing to run a password cracker or dictionary attack at all on.
Dictionary attacks are trivial to defend against - use fail2ban or
another appropriate tool to limit the number of failed attempts (which
is, I agree, something that everyone should be doing anyway)...
