On Sat, Mar 04, 2017 at 09:27:43PM +0000, Igor Golubkov wrote: > Just use smtpd_relay_restrictions = permit_mynetworks, reject
This *might* be acceptable for the OP, but note that it is applied to all mail, and therefore nothing outside of mynetworks would ever be accepted. This is DEFINITELY wrong for a server acting as a MX, hosting mail for an Internet domain name. > But changing this setting will not remove all those bots trying to > authenticate on your server. > > сб, 4 марта 2017 г., 23:57 Jon LaBadie <[email protected]>: > > > When I first set up my home mail server I mashed several "postfix > > recipies" to get my working system. Not knowing why, this line > > made it into main.cf. > > > > smtpd_relay_restrictions = \ The leading whitespace is what tells Postfix you are intending to continue a logical line on the following actual line. > > permit_mynetworks, permit_sasl_authenticated This won't work either, because a restriction such as "reject" or "reject_unauth_destination" is required to prevent open relay. > > I have no need to relay mail from anywhere except my own > > network and I don't authenticate for that. Still, requiring AUTH is a good idea. > > I do get 500-1000 daily attempts to relay but because I never > > set up an SASL Authentication Server, none can ever > > authenticate. So it looks like you ARE a MX host, since you are getting these connections from the outside. Best practice is: main.cf : ... smtpd_relay_restrictions = reject_unauth_destination mua_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination This closes off relaying on port 25. Then uncomment "submission" service in master.cf, and have a line like this under it: -o smtpd_relay_restrictions=$mua_relay_restrictions The benefit is that you completely separate your MX stream from users' submitted mail. This is advantageous for spam control and filtering. And then of course your users would have to submit mail on port 587. If you're not going to allow roaming users to submit, you could simply block port 587 in the firewall. > > I'd like to get rid of the "permit_sasl_authenticated" setting, > > perhaps rejecting relay attempts earlier. But I'm hesitant that > > I may be creating a relay server due to other settings. > > > > Another current setting that may be pertinent is > > > > smtpd_sender_restrictions = permit_mynetworks \ > > reject_non_fqdn_sender reject_unknown_sender_domain > > > > Suggestions or advice on getting rid of the SASL settings, > > still allowing relay from my private network, yet not an open > > relay? I suggest: http://www.postfix.org/SMTPD_ACCESS_README.html -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
