On 07/03/2011 09:31 PM, Pandu Poluan wrote: > I'm just wondering... > > I'm implementing an email gateway using postfix. The gateway lives as > a VM in my ISP, and it will deliver 'accepted' emails to the company's > email server which lives in the DMZ. The email server's port is > shifted to a non-25 external port number. > > So far so good. However, a portscanner might still be able to detect > which port is open and attempt deliveries there. > > So, the question: Is it possible to configure the system in some way > so that Postfix will first perform a portknocking before attempting > delivery to the internal mail server? > > If that is not possible, what solution would you recommend to 'harden' > the non-25 mail port?
What defines an "accepted" email? If they will all be coming from one or more pre-defined hosts, just add them to mynetworks: mynetworks = <whoever is allowed to send mail to you> smtpd_recipient_restrictions = permit_mynetworks, reject If they could be coming from anywhere, you can either configure SASL (easier) or certificate-based authentication (harder). I suppose you could set up a VPN that lands them within $mynetworks, too.
