On Mon, Nov 29, 2010 at 08:53:43AM +0100, Mauro wrote: > On 29 November 2010 01:56, Victor Duchovni > <victor.ducho...@morganstanley.com> wrote: > > On Sun, Nov 28, 2010 at 01:36:12PM -0700, ghe wrote: > > > >>> I run postfix and my mail clients use smtps so I was thinking I may as > >>> well close port 25. How can I do that? > >> > >> I'd use iptables or equivalent. > >> > >> I have my doubts about postfix itself because I think that'd be an RFC > >> violation. So far... > > > > The above is nonsense. You don't have to accept traffic on port 25 of > > an MTA that is not an MX host (or whose IP is the A record) for a domain > > that needs to accept external email. > > How can you know if the inbound mail is coming from an MX host?
Not "from", but "to". So if you have your MTA on an IP whose A record is not pointed by any MX record, and for sure, you don't want to accept mails for the rcpt domain either which is the A record, then it's fine not to even listen on tcp/25. Emailing is not "compulsory", you can't be forced that you have an MTA in any way (otherwise even every webserver should accepts mails since they should be an A record at least). For sure, situation can be a bit different if you want to send mails with sender domains which is the same one with your MTA which is about to accept mails for that domain, otherwise eg no postmaster mails can be sent, and so on which is a problem. Also it can be important to be able to reply for the sender's mails :) But anyway, if you have only an MTA, which is about sending only, it's fine (till you handle the incoming mails for the domains you're sendign with somewhere else). I think most companies have different MTAs for "accepting" mails from the "outside" (called "MX servers" sometimes) and MTAs for sending mails "to the outside" and those won't accept any tcp/25 connection from outside, since that's the task of the MX servers not theirs.
