On Wed, Apr 22, 2026 at 08:38:02 +0100, Sad Clouds via Postfix-users wrote:
> Hello, this question is about hardening email services from brute force
> attacks.
>
> I'm thinking of deploying a split tunnel WireGuard VPN to access SMTP
> submission and IMAP services. The SMTP relay service on port 25 would
> still be on the outside of the VPN tunnel. I'll be using the same
> WireGuard setup for SSH, so the overhead of adding SMTP and IMAP
> protocols is negligible.
>
> By the way, I'm not running large scale public email services, so VPN
> key management with a large user base is not going to be an issue.
You can achieve roughly the same but without the additional layer, by
requiring TLS client certificates for SMTP submission and IMAP (and for
SSH, disable password authentication and accept only SSH keys).
See permit_tls_clientcerts and relay_clientcerts (for a small number of
self-signed client certs), or permit_tls_all_clientcerts (if you want to
run your own CA for more than just a few users).
Geert
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
