Re: Request for feedback on SMTPD restrictions

On 23 January 2018 at 04:20, Noel Jones wrote: > Strong spam indicators for the HELO are > (note: this is for mail coming from the internet. Authenticated > submission mail or legit mail from devices on your network might > break any of these) > - a dynamic hostname (eg.

Re: Request for feedback on SMTPD restrictions

On 1/22/2018 8:36 PM, J Doe wrote: >>> smtpd_helo_required = yes >>> smtpd_helo_restrictions = permit_mynetworks, >>>reject_unauth_pipelining, >>>reject_invalid_helo_hostname, >>>reject_non_fqdn_helo_hostname, >>>check_helo_access hash:/etc/postfix/helo_acl, >>>

Re: Request for feedback on SMTPD restrictions

Replies in the middle of the email for clarity. On Mon, 22 Jan 2018 17:18:42 -0500 "Bill Cole" wrote: > On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote: > > > The reverse DNS can only point to one domain > > name. > > Not so. Multiple

Re: Request for feedback on SMTPD restrictions

Hi, > On Jan 22, 2018, at 8:43 AM, Matus UHLAR - fantomas wrote: > >> smtpd_helo_required = yes >> smtpd_helo_restrictions = permit_mynetworks, >>reject_unauth_pipelining, >> reject_invalid_helo_hostname, >>reject_non_fqdn_helo_hostname, >>check_helo_access

Re: Request for feedback on SMTPD restrictions

Hi Noel, > On Jan 21, 2018, at 3:35 PM, Noel Jones >> smtpd_client_restrictions = permit_mynetworks, >>reject_unauth_pipelining, >>check_client_access hash:/etc/postfix/client_acl, >>reject_unknown_client_hostname, >>permit > >

Re: Request for feedback on SMTPD restrictions

On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote: The reverse DNS can only point to one domain name. Not so. Multiple PTR records for one address may violate some people's expectations, but it's not wrong if the address doesn't really have a public name that is more "real" than

Re: Self-signed TLS certificates

On 22 Jan 2018, at 15:31, Viktor Dukhovni wrote: > On Jan 22, 2018, at 2:43 AM, DTNX Postmaster wrote: > >>> A "real" certificate is useful if you have customers connecting to >>> your server as a submission service. While self-signed certs work

Re: Self-signed TLS certificates

> On Jan 22, 2018, at 10:06 AM, Danny Horne wrote: > > Private CA sounds interesting, will have to read up about it You can get away with a lot less complexity than the usual OpenSSL CA. See, for example:

Re: Self-signed TLS certificates

On 21/01/2018 9:35 pm, Viktor Dukhovni wrote: > > Indeed stick with what you've got. You could (if not intimidated by the > logistics, but we may have more tools for you in this space soonish) also > implement a private CA that signs your no-longer self-signed server cert. > This makes it

Re: canonical based on login name

On 2018-01-20 16:08, Joris (ideeel) wrote: > hi list > > I run a webservice (and a mail service). All websites run under the > same UID of apa...@webserver.domain.com. I know, not ideal, but i > cannot change that bit. Problem is that if one site gets hacked, user > apache starts sending spam

Re: Self-signed TLS certificates

> On Jan 22, 2018, at 2:43 AM, DTNX Postmaster wrote: > >> A "real" certificate is useful if you have customers connecting to >> your server as a submission service. While self-signed certs work >> fine for that purpose too, sometimes it's easier to avoid talking >> folks

Re: Request for feedback on SMTPD restrictions

On 21.01.18 00:56, J Doe wrote: I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions. Even with reading the man pages, I find some of