On Apr 13, 2013, at 15.48, Reindl Harald <h.rei...@thelounge.net> wrote:
> > Am 13.04.2013 21:42, schrieb b...@bitrate.net: >> >> On Apr 13, 2013, at 15.33, Russell Jones <russ...@jonesmail.me> wrote: >> >>> Hi all, >>> >>> Upgrading mail server from Postfix 2.9 to 2.10. Could I get a quick sanity >>> check to ensure my (fairly simple) setup is sane with the new >>> smtpd_relay_restrictions? Thanks :-) >>> >>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated >>> reject_unauth_destination >>> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated >>> check_client_access hash:/etc/postfix/rbl_override reject_rbl_client >>> zen.spamhaus.org >> >> really, neither of permit_mynetworks nor permit_sasl_authenticated belong in >> any global restrictions. >> smtp auth [e.g sasl] is for submission clients, which should be using >> submission/587, and these days, > > fine - in the real life you start not from scratch in the real world, both [and more] things happen. > have fun calling hundrets and thousands of users especially with broken > clients like a iPhone and explain them what to do to change the port perhaps, perhaps not. > in a perfect world i would even close port 25 from the WAN because > the MX is a dedicated spam-firewall, but as said above this world > exists mostly only if you are a startup with no existing customers huh? >> i really just discourage use of permit_mynetworks altogether > > if you are not stupid enough to add a /24 network there it is pretty fine > you do not want to pass every internal server sending a system-message to > check_recipient_access which may be a spam-filter sorry, i have no idea what you're talking about.