On 11/3/2011 9:28 AM, Simon Brereton wrote: > So, these should be fine anywhere be fine anywhere before > reject_unauth_destination... > > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > > If I put them above mynetworks it applies to my networks too, but > doesn't make me an open relay. And I put them above permit_sasl_auth > then it applies to all connections
Yes to all the above, but note it's generally considered bad form to reject your own users (either mynetworks or authenticated) for any but the most egregious errors. Of course, you get to define what's egregious for you. Many mail clients present the user a "confusing" error when mail is rejected, triggering a support call, and it's unfriendly to make your own users jump through the same RFC-compliance hoops as a random possibly-hostile MTA. > (but the HELO ones would likely > knock out any road-warriers (but they should be using the submission > port anyway, right)? It doesn't make much sense for your system to present your users different behavior based on the port they connect to. I think putting additional restrictions on port 25 user submission just makes it harder for the end user without any benefit. -- Noel Jones