Excellent points. And thanks for the access list tip. I will lose the final reject from client and relay and exclude the MX servers from mynetworks
Thanks. On 5/17/22, 11:54, "owner-postfix-us...@postfix.org on behalf of Matus UHLAR - fantomas" <owner-postfix-us...@postfix.org on behalf of uh...@fantomas.sk> wrote: >> > smtpd_client_restrictions = >> you'll block incoming mail with last reject. > >This is right off of https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FSMTPD_ACCESS_README.html%23lists&data=05%7C01%7Cdaniel.e.white%40nasa.gov%7Cbfa900359cf047fa43fd08da381d8daf%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637883996832808212%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=%2FmNmO%2FJirAmAtBO6e7gEc2MkaiJIL3RvpRwhe2iE2qg%3D&reserved=0 > >/etc/postfix/main.cf: > # Allow connections from trusted networks only. > smtpd_client_restrictions = permit_mynetworks, reject On 17.05.22 15:46, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: >I only permit incoming mail from known, upstream relays which will be in "mynetworks" >Do you still think I will block incoming ? yes, unless you add upstream relay (e.g. your mx server) to mynetworks. ...don't add such servers to mynetworks. >> > smtpd_sender_restrictions = >> ... you couldn't even notify those clients if they used invalid senders. >How would you suggest I notify them ? don't - that's why I said it's okay. >> > smtpd_relay_restrictions = >> you reject receiving mail again with last reject, again. > >Again, I only permit incoming mail from known, upstream relays which will be in "mynetworks" >Do you still think I will block incoming ? the above still applies. the second directive you have posted is enough to stop unauthorized relay (which is why smtpd_relay_restrictions was created). while you can of course add upstream servers to mynetworks and make mail receiving work, it's a bad idea because this variable is used for outgoing mail. if you need to block accepting mail from unauthorized IP address, I recommend you doing it using access lists https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2Faccess.5.html&data=05%7C01%7Cdaniel.e.white%40nasa.gov%7Cbfa900359cf047fa43fd08da381d8daf%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637883996832808212%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=VyHwv8Bk8I9fx5ArNb4A3U6u7R8yZYTrLrfWred%2BygE%3D&reserved=0