[pfx] Re: Access control review
On Wed, Mar 29, 2023 at 02:17:52PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > On 28.03.23 12:15, Viktor Dukhovni via Postfix-users wrote: > >You don't need and generally don't want to apply: > > > >reject_unknown_recipient_domain > > > >to inbound traffic on port 25. A brief glitch in DNS resolution of your > >domain will cause you reject domains that you know to be yours. > > Are you sure about this? I thought this only applies when the domain is > not local and docs indicate the same: > > reject_unknown_recipient_domain > Reject the request when Postfix is not final destination for the > recipient domain, [...] Looking more closely, the above is true, local, virtual alias and virtual mailbox domains are automatically exempt. Relay domains are not, and could tempfail in error. > It makes sense for 465/587, especially when sender is local/verified. Yes, this can make sense for submission. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Access control review
On Tue, Mar 28, 2023 at 08:42:42AM +0200, Mihaly Zachar via Postfix-users wrote: smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination On 28.03.23 12:15, Viktor Dukhovni via Postfix-users wrote: You don't need and generally don't want to apply: reject_unknown_recipient_domain to inbound traffic on port 25. A brief glitch in DNS resolution of your domain will cause you reject domains that you know to be yours. Are you sure about this? I thought this only applies when the domain is not local and docs indicate the same: reject_unknown_recipient_domain Reject the request when Postfix is not final destination for the recipient domain, It makes sense for 465/587, especially when sender is local/verified. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Access control review
On Tue, 28 Mar 2023 at 18:15, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, Mar 28, 2023 at 08:42:42AM +0200, Mihaly Zachar via Postfix-users > wrote: > > > smtpd_recipient_restrictions = > > reject_non_fqdn_recipient > > reject_unknown_recipient_domain > > permit_mynetworks > > permit_sasl_authenticated > > reject_unauth_destination > > You don't need and generally don't want to apply: > > reject_unknown_recipient_domain > > to inbound traffic on port 25. A brief glitch in DNS resolution of your > domain will cause you reject domains that you know to be yours. And > outbound relaying of mail, via SASL or mynetworks, ... should if at all > possible be via ports 587 and/or 465. Therefore: > > smtpd_recipient_restrictions = > # Only if some internal trusted IPs can't use submission instead > # SASL should always be over TLS on a submission port. > # permit_mynetworks > # > reject_unauth_destination, > # > # You might also want an RBL, and a local DNS resolver! > # Open public DNS resolvers are shunned by RBL services. > # > reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] > > > # Used via master.cf overrides for the submission services. > # > submit_client_restrictions = > submit_helo_restrictions = > submit_sender_restrictions = > submit_recipient_restrictions = > submit_relay_restrictions = > reject_plaintext_session, > permit_mynetworks, > permit_sasl_authenticated, > reject > submit_data_restrictions = > submit_end_of_data_restrictions = > > Thank you very much ! Mitya ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Access control review
On Tue, Mar 28, 2023 at 08:42:42AM +0200, Mihaly Zachar via Postfix-users wrote: > smtpd_recipient_restrictions = > reject_non_fqdn_recipient > reject_unknown_recipient_domain > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination You don't need and generally don't want to apply: reject_unknown_recipient_domain to inbound traffic on port 25. A brief glitch in DNS resolution of your domain will cause you reject domains that you know to be yours. And outbound relaying of mail, via SASL or mynetworks, ... should if at all possible be via ports 587 and/or 465. Therefore: smtpd_recipient_restrictions = # Only if some internal trusted IPs can't use submission instead # SASL should always be over TLS on a submission port. # permit_mynetworks # reject_unauth_destination, # # You might also want an RBL, and a local DNS resolver! # Open public DNS resolvers are shunned by RBL services. # reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] # Used via master.cf overrides for the submission services. # submit_client_restrictions = submit_helo_restrictions = submit_sender_restrictions = submit_recipient_restrictions = submit_relay_restrictions = reject_plaintext_session, permit_mynetworks, permit_sasl_authenticated, reject submit_data_restrictions = submit_end_of_data_restrictions = -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
