My main restrictions in main.cf are (on macOS Server)
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access
regexp:/Library/Server/Mail/Config/postfix/rna_rbl_whitelist_clients,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions = permit_sasl_authenticated
reject_unauth_pipelining reject_non_fqdn_recipient permit_mynetworks
reject_unauth_destination reject_unlisted_recipient check_client_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_clients
check_sender_access
regexp:/Library/Server/Mail/Config/postfix/rna_policy_whitelist_senders
check_policy_service unix:private/policy permit
Rbl and greylisting helps to filter out most spam attempts. I have to turn of
greylisting for a few hours today, and a message came through that had both
From: and To: set to my email address. This was accepted because I am the
delivery agent for that domain.
But an outside, non SASL-authenticated client that says it wants to deliver
mail From my domain is illegal. Apparently, that one still gets through (though
is generally blocked by greylisting). Anyway, is there a way to block that
without blocking legitimate mail?
Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises
<https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
