On Tue, Mar 28, 2023 at 08:42:42AM +0200, Mihaly Zachar via Postfix-users wrote:
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_unknown_recipient_domain
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
You don't need and generally don't want to apply:
reject_unknown_recipient_domain
to inbound traffic on port 25. A brief glitch in DNS resolution of your
domain will cause you reject domains that you know to be yours. And
outbound relaying of mail, via SASL or mynetworks, ... should if at all
possible be via ports 587 and/or 465. Therefore:
smtpd_recipient_restrictions =
# Only if some internal trusted IPs can't use submission instead
# SASL should always be over TLS on a submission port.
# permit_mynetworks
#
reject_unauth_destination,
#
# You might also want an RBL, and a local DNS resolver!
# Open public DNS resolvers are shunned by RBL services.
#
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
# Used via master.cf overrides for the submission services.
#
submit_client_restrictions =
submit_helo_restrictions =
submit_sender_restrictions =
submit_recipient_restrictions =
submit_relay_restrictions =
reject_plaintext_session,
permit_mynetworks,
permit_sasl_authenticated,
reject
submit_data_restrictions =
submit_end_of_data_restrictions =
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
