Re: [EXTERNAL] Re: Sanity Check Request: smtpd_*_restrictions

Tue, 17 May 2022 09:01:15 -0700 

Excellent points.
And thanks for the access list tip.

I will lose the final reject from client and relay and exclude the MX servers 
from mynetworks

Thanks.


On 5/17/22, 11:54, "owner-postfix-us...@postfix.org on behalf of Matus UHLAR - 
fantomas" <owner-postfix-us...@postfix.org on behalf of uh...@fantomas.sk> 
wrote:

    >> > smtpd_client_restrictions =
    >> you'll block incoming mail with last reject.
    >
    >This is right off of 
https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FSMTPD_ACCESS_README.html%23lists&amp;data=05%7C01%7Cdaniel.e.white%40nasa.gov%7Cbfa900359cf047fa43fd08da381d8daf%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637883996832808212%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&amp;sdata=%2FmNmO%2FJirAmAtBO6e7gEc2MkaiJIL3RvpRwhe2iE2qg%3D&amp;reserved=0
    >
    >/etc/postfix/main.cf:
    >    # Allow connections from trusted networks only.
    >    smtpd_client_restrictions = permit_mynetworks, reject

    On 17.05.22 15:46, White, Daniel E. (GSFC-770.0)[AEGIS] wrote:
    >I only permit incoming mail from known, upstream relays which will be in 
"mynetworks"
    >Do you still think I will block incoming ?

    yes, unless you add upstream relay (e.g. your mx server) to mynetworks.
    ...don't add such servers to mynetworks.

    >> > smtpd_sender_restrictions =
    >> ... you couldn't even notify those clients if they used invalid senders.

    >How would you suggest I notify them ?

    don't - that's why I said it's okay.

    >> > smtpd_relay_restrictions =
    >> you reject receiving mail again with last reject, again.
    >
    >Again, I only permit incoming mail from known, upstream relays which will 
be in "mynetworks"
    >Do you still think I will block incoming ?

    the above still applies.
    the second directive you have posted is enough to stop unauthorized relay 
    (which is why smtpd_relay_restrictions was created).



    while you can of course add upstream servers to mynetworks and make mail 
    receiving work, it's a bad idea because this variable is used for outgoing 
    mail.

    if you need to block accepting mail from unauthorized IP address, I 
    recommend you doing it using access lists
    
https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2Faccess.5.html&amp;data=05%7C01%7Cdaniel.e.white%40nasa.gov%7Cbfa900359cf047fa43fd08da381d8daf%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637883996832808212%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&amp;sdata=VyHwv8Bk8I9fx5ArNb4A3U6u7R8yZYTrLrfWred%2BygE%3D&amp;reserved=0

Reply via email to