Hi Victor,

Thanks so much for very useful and informative reply and opinions, much
appreciated!

I'm using Postfix 3.7.9 (with Dovecot through LMTP, and virtual users in
MySQL).

Regarding 'smtpd_relay_before_recipient_restrictions', I don't have it
explicitly set in main.cf, it's as the default.

Is it better to list reject_unauth_destination after;

permit_mynetworks,
permit_sasl_authenticated,

Or before these? And why?

And finally, here are my helo and sender restrictions;

smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  permit

smtpd_sender_restrictions =
  reject_non_fqdn_sender,
  reject_unlisted_sender,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unknown_sender_domain,
  permit

You might wish to give your opinions on these above as well?

I'm trying to be as restrictive as possible, against haux&pseudo
hostnames/helo attempts, spammers and attackers.

Many thanks,
Much regards.

Mark.


2 Şubat 2024 Cuma tarihinde Viktor Dukhovni via Postfix-users <
[email protected]> yazdı:

> On Fri, Feb 02, 2024 at 08:26:20AM +0300, Mark via Postfix-users wrote:
>
> > I'm trying to adjust my smtpd_recipient_restrictions so that any emails
> > coming to a non-existent account on my server would be rejected BEFORE
> the
> > attempt reaches RBLs/RBL queries.
>
> If you're using Postfix 3.6 or later, you probably have a "yes" setting
> for:
>
>     smtpd_relay_before_recipient_restrictions = ${{$compatibility_level}
> <level {3.6} ? {no} : {yes}}
>
> which means, that your relay restriction would already reject mail to
> unauthorised destinations, obviating the need for
> "reject_unauth_destination" in:
>
>     ...
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_unauth_destination,
>     ...
>
> in the list of rules for smtpd_recipient_restrictions (provided you've
> not "cleared" your relay restrictions).
>
> But of course a belt-and-suspenders approach is harmless and in this
> case also cheap to check.
>
> > Thus, before I activate my settings, I wanted to ask for your opinions,
> so
> > here how it goes;
> >
> > smtpd_recipient_restrictions =
> >   reject_non_fqdn_sender,
> >   reject_non_fqdn_recipient,
> >   reject_non_fqdn_helo_hostname,
> >   reject_invalid_helo_hostname,
> >   reject_unlisted_recipient,
> >   permit_mynetworks,
> >   permit_sasl_authenticated,
> >   reject_unauth_destination,
> >   reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
>     ...
>
> This looks fine.
>
> --
>     Viktor.
> _______________________________________________
> Postfix-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to