On Fri, 30 Nov 2012, Robert Schetterer wrote:
Am 30.11.2012 11:12, schrieb Tomas Macek:
On Fri, 30 Nov 2012, lst_ho...@kwsoft.de wrote:
Zitat von Tomas Macek <ma...@fortech.cz>:
I don't understand now, how Postfix behaves when listenting on
submission port 587.
Our mailserver is sometimes overloaded on port 25, so we want to use
postscreen. But I don't understand, how Postfix works when it's
stressed on port 587, when spammers connect to that opened port and
want send their "emails". In document
http://www.postfix.org/STRESS_README.html there is:
NOTE: To avoid "overload" delays for end-user mail clients, enable
the "submission" service entry in master.cf (present since Postfix
2.1), and tell users to connect to this instead of the public SMTP
service.
Should this mean, that Postfix by default does not use counters like
smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on
sumission port? On this port I would prefer using some kind of smtp
auth and this port should be world accessible to allow the clients
using other networks to authenticate and send emails.
Port 587 is by default nothing special for Postfix because it is
mostly a clone of the Port 25 service. The *intended* difference is
that Port 587 should only accept mail by authenticated users, so no
chance for spammers if they don't own valid credentials. To actually
see the difference between Port 25 and Port 587 settings you have to
compare the entries in master.cf.
Regards
Andreas
OK, so there is a chance for spammers to overload the server using
submission port 587 (the server says then "service "smtp" (25) has
reached its process limit "200"") by exhausting number of available
ports and the MUA clients then can have also problems to send their
emails? I'm I right?
If I'm, then I don't understand, why to split the processes into
submission 587 and normal 25, because if the MUA client send the mail
through 25 (hope with postscreen), there is a chance that the 25 is not
overloaded (because it uses postscreen) and he will be rather
able to send his email compared to 587.
Or I don't still understand something ... :-)
Andreas: sorry for my direct answer to you, my mistake
Tomas
you dont want to use postscreen with your valid user , therefor use
submission port with auth and tls them, if problems with limits ,do
higher it etc
i general whenever a port is open public, there is a chance to fire on
it, avoiding this is i.e a firewall job
MfG Robert Schetterer
I cannot apply firewall rules on 587, because our clients travel with
their notebooks and still want to send their emails through our
mailserver.
Tomas
