This best matches my situation.
I cannot guarantee that all of my "customers" can send mail authenticated
and/or encrypted.
I think I can trim down "mynetworks"
Thanks for the responses.
On 11/9/21, 12:00, "owner-postfix-us...@postfix.org on behalf of Jaroslaw
Rafa" <owner-postfix-us...@postfix.org on behalf of r...@rafa.eu.org> wrote:
Dnia 9.11.2021 o godz. 10:13:08 Bill Cole pisze:
> NOTHING should be allowing SMTP relay based on IP
> addresses in 2021, even inside RFC1918 networks. Anything sending
> mail that can't do proper authentication at initial submission is
> unfit for sending mail at all. Whatever legitimate mail actually
> travels via your "relay" and then to "LOCAL_MDA" probably should be
> skipping the relay altogether and talking directly to LOCAL_MDA with
> authentication.
That is a bit exaggerated IMHO.
Think for example about various embedded devices sending alerts via e-mail,
that are just not capable of authentication (nor often even encryption) and
you can't do anything with it... Many of them are years old, but they still
do their job well (their main job, sending mails is only one of their
secondary functions and not the most important one) and there's no reason to
replace them (or sometimes there isn't even anything to replace them with).
The concept of trusted hosts/networks has a reason behind it and cannot be
abandoned so simply...
--
Regards,
Jaroslaw Rafa
r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
