My main restrictions in main.cf are (on macOS Server) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients, reject_rbl_client zen.spamhaus.org, permit smtpd_delay_reject = yes smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_client_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients check_sender_access regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders check_policy_service unix:private/policy permit
Rbl and greylisting helps to filter out most spam attempts. I have to turn of greylisting for a few hours today, and a message came through that had both From: and To: set to my email address. This was accepted because I am the delivery agent for that domain. But an outside, non SASL-authenticated client that says it wants to deliver mail From my domain is illegal. Apparently, that one still gets through (though is generally blocked by greylisting). Anyway, is there a way to block that without blocking legitimate mail? Gerben Wierda Chess and the Art of Enterprise Architecture <http://enterprisechess.com/> Mastering ArchiMate <http://masteringarchimate.com/> Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ