On Tue, 28 Mar 2023 at 18:15, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote:
> On Tue, Mar 28, 2023 at 08:42:42AM +0200, Mihaly Zachar via Postfix-users > wrote: > > > smtpd_recipient_restrictions = > > reject_non_fqdn_recipient > > reject_unknown_recipient_domain > > permit_mynetworks > > permit_sasl_authenticated > > reject_unauth_destination > > You don't need and generally don't want to apply: > > reject_unknown_recipient_domain > > to inbound traffic on port 25. A brief glitch in DNS resolution of your > domain will cause you reject domains that you know to be yours. And > outbound relaying of mail, via SASL or mynetworks, ... should if at all > possible be via ports 587 and/or 465. Therefore: > > smtpd_recipient_restrictions = > # Only if some internal trusted IPs can't use submission instead > # SASL should always be over TLS on a submission port. > # permit_mynetworks > # > reject_unauth_destination, > # > # You might also want an RBL, and a local DNS resolver! > # Open public DNS resolvers are shunned by RBL services. > # > reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] > > > # Used via master.cf overrides for the submission services. > # > submit_client_restrictions = > submit_helo_restrictions = > submit_sender_restrictions = > submit_recipient_restrictions = > submit_relay_restrictions = > reject_plaintext_session, > permit_mynetworks, > permit_sasl_authenticated, > reject > submit_data_restrictions = > submit_end_of_data_restrictions = > > Thank you very much ! Mitya
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org