On Fri, 4 Sep 2015, Viktor Dukhovni wrote:
On Fri, Sep 04, 2015 at 09:44:50AM +0200, Tomas Macek wrote:
Here is the result cfg:
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=smtp-amavis:[127.0.0.1]:10024
-o syslog_name=submission
-o receive_override_options=no_header_body_checks
-o smtpd_tls_security_level=may
Why "may", rather than "encrypt"?
Oops, that settings was there because of testing. I'm sometimes putting
the smtp commands to the telnet cmd line. This will be changed for sure.
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/block_localhost,check_policy_service,inet:127.0.0.1:24575,permit_mynetworks,permit_sasl_authenticated,reject
Why not set this to "$mua_recipient_restrictions", and define the
latter in main.cf?
Fine, thanks, I'll change it.
The "check_policy_service,inet:127.0.0.1:24575" is per client IP counter,
that counts how many emails were sent by particular IP address in last X
seconds. It sometimes helps to report misused client and/or password and
some other things. Maybe this should be added rather to the
smtpd_client_restrictions?
Client IPs are not so interesting in botnets, much better to
aggregate by SASL login name (and rate limit potentially compromised
accounts).
OK, thanks, I'll think about it.
Thank you for help!
Tomas
