> > Michael Orlitzky: If you want something more generic than what's already in postfix, the > next level up is probably iptables.
I was looking for something with host lookup capability and tcp wrappers was exactly the thing. There were allow/deny.hosts files present in the system, which made me think that my server was already configured with tcp-wrappers by default, but could not figure out why it was not filtering smtpd traffic. Initially I thought that compiling Postfix with tcp wrappers would mean just changing the installation configuration to authorise the higher level service to filter the traffic before it even gets to Postfix. Have digged deeper and understood that that assumption was totally wrong. It turned out that the inetd super-server (which btw supports tcp-wrappers by default) is not even installed on Ubuntu server by default. So all I need to do is just install it. Thanks everyone for your patient and kind replies. Eugene вт, 16 февр. 2021 г. в 03:17, Wietse Venema <wie...@porcupine.org>: > Viktor Dukhovni: > > > On Feb 15, 2021, at 9:57 PM, Wietse Venema <wie...@porcupine.org> > wrote: > > > > > > I just verified that TLS works when running "sendmail -bs" as user > > > 'postfix' from inetd. But I agree that this mode of operation is > > > suitable only for extraordinary cases. > > > > How was the SMTP server able to load the certificate chain? The private > > keys are typically only readable by "root". > > They are readable by non-root. All this because of no privilege > dropping support after process initialization, but that could be > fixed by adding a couple command flags to smtpd(8) and invoking it > directly. > > Wietse >
