Closing port 25
I run postfix and my mail clients use smtps so I was thinking I may as well close port 25. How can I do that? - Grant
Re: Closing port 25
On Sun, Nov 28, 2010 at 12:22:08PM -0800, Grant wrote: > I run postfix and my mail clients use smtps so I was thinking I may as > well close port 25. How can I do that? See the description of the "Service type": inet http://www.postfix.org/master.5.html -- Viktor.
Re: Closing port 25
On 11/28/10 1:22 PM, Grant wrote: I run postfix and my mail clients use smtps so I was thinking I may as well close port 25. How can I do that? I'd use iptables or equivalent. I have my doubts about postfix itself because I think that'd be an RFC violation. So far... OTOH, you are liable to get a lot of traffic on port 25 that you don't want to miss. You might not really want to close it. -- Glenn English g...@slsware.com
Re: Closing port 25
>> I run postfix and my mail clients use smtps so I was thinking I may as >> well close port 25. How can I do that? > > See the description of the "Service type": inet > > http://www.postfix.org/master.5.html Thanks Viktor. I commented the following in master.cf: smtp inet n - n - - smtpd and restarted postfix and port 25 is closed. - Grant
Re: Closing port 25
>> I run postfix and my mail clients use smtps so I was thinking I may as >> well close port 25. How can I do that? > > I'd use iptables or equivalent. > > I have my doubts about postfix itself because I think that'd be an RFC > violation. So far... Could you elaborate on that a bit? I'm not sure what you mean. > OTOH, you are liable to get a lot of traffic on port 25 that you don't want > to miss. You might not really want to close it. I thought postfix's smtp/smtps is only used for mail transmission for my mail clients? - Grant
Re: Closing port 25
Le 28/11/2010 21:38, Grant a écrit : I run postfix and my mail clients use smtps so I was thinking I may as well close port 25. How can I do that? See the description of the "Service type": inet http://www.postfix.org/master.5.html Thanks Viktor. I commented the following in master.cf: smtp inet n - n - - smtpd and restarted postfix and port 25 is closed. This is ok for an "outbound" only server (only your users can use it send mail). if you also need "inbound" mail (external users to send to your server), then you must keep port 25 open.
Re: Closing port 25
I run postfix and my mail clients use smtps so I was thinking I may as well close port 25. How can I do that? >>> >>> See the description of the "Service type": inet >>> >>> http://www.postfix.org/master.5.html >> >> Thanks Viktor. I commented the following in master.cf: >> >> smtp inet n - n - - smtpd >> >> and restarted postfix and port 25 is closed. >> > > > This is ok for an "outbound" only server (only your users can use it send > mail). > > if you also need "inbound" mail (external users to send to your server), > then you must keep port 25 open. Thank you. I do need to receive mail on the server too so I'll keep port 25 open. - Grant
Re: Closing port 25
On 28 November 2010 21:58, mouss wrote: > Le 28/11/2010 21:38, Grant a écrit : I run postfix and my mail clients use smtps so I was thinking I may as well close port 25. How can I do that? >>> >>> See the description of the "Service type": inet >>> >>> http://www.postfix.org/master.5.html >> >> Thanks Viktor. I commented the following in master.cf: >> >> smtp inet n - n - - smtpd >> >> and restarted postfix and port 25 is closed. >> > > > This is ok for an "outbound" only server (only your users can use it send > mail). > > if you also need "inbound" mail (external users to send to your server), > then you must keep port 25 open. Yes it is. You must keep open port 25 for inbound mail so you can close port 25 only for outbound using a firewall like iptables.
Re: Closing port 25
On 11/28/10 1:43 PM, Grant wrote: I have my doubts about postfix itself because I think that'd be an RFC violation. So far... Could you elaborate on that a bit? I'm not sure what you mean. See Mouss' reply for a non-newbie response :-) Postfix is very good about obeying the 'rules'. And AFAIK, port 25 is one of the rules. Again, see Mouss for a better explanation. I've got some hand built spam filtering in my firewall -- to catch stuff that gets through Postfix. That's what I was trying to suggest. -- Glenn English g...@slsware.com
Re: Closing port 25
>>> I have my doubts about postfix itself because I think that'd be an RFC >>> violation. So far... >> >> Could you elaborate on that a bit? I'm not sure what you mean. > > See Mouss' reply for a non-newbie response :-) > > Postfix is very good about obeying the 'rules'. And AFAIK, port 25 is one of > the rules. Again, see Mouss for a better explanation. > > I've got some hand built spam filtering in my firewall -- to catch stuff > that gets through Postfix. That's what I was trying to suggest. Great stuff guys, thanks a lot. - Grant
Re: Closing port 25
On Sun, Nov 28, 2010 at 01:36:12PM -0700, ghe wrote: >> I run postfix and my mail clients use smtps so I was thinking I may as >> well close port 25. How can I do that? > > I'd use iptables or equivalent. > > I have my doubts about postfix itself because I think that'd be an RFC > violation. So far... The above is nonsense. You don't have to accept traffic on port 25 of an MTA that is not an MX host (or whose IP is the A record) for a domain that needs to accept external email. -- Viktor.
Re: Closing port 25
On 29 November 2010 01:56, Victor Duchovni wrote: > On Sun, Nov 28, 2010 at 01:36:12PM -0700, ghe wrote: > >>> I run postfix and my mail clients use smtps so I was thinking I may as >>> well close port 25. How can I do that? >> >> I'd use iptables or equivalent. >> >> I have my doubts about postfix itself because I think that'd be an RFC >> violation. So far... > > The above is nonsense. You don't have to accept traffic on port 25 of > an MTA that is not an MX host (or whose IP is the A record) for a domain > that needs to accept external email. How can you know if the inbound mail is coming from an MX host?
Re: Closing port 25
On Mon, Nov 29, 2010 at 08:53:43AM +0100, Mauro wrote: > On 29 November 2010 01:56, Victor Duchovni > wrote: > > On Sun, Nov 28, 2010 at 01:36:12PM -0700, ghe wrote: > > > >>> I run postfix and my mail clients use smtps so I was thinking I may as > >>> well close port 25. How can I do that? > >> > >> I'd use iptables or equivalent. > >> > >> I have my doubts about postfix itself because I think that'd be an RFC > >> violation. So far... > > > > The above is nonsense. You don't have to accept traffic on port 25 of > > an MTA that is not an MX host (or whose IP is the A record) for a domain > > that needs to accept external email. > > How can you know if the inbound mail is coming from an MX host? Not "from", but "to". So if you have your MTA on an IP whose A record is not pointed by any MX record, and for sure, you don't want to accept mails for the rcpt domain either which is the A record, then it's fine not to even listen on tcp/25. Emailing is not "compulsory", you can't be forced that you have an MTA in any way (otherwise even every webserver should accepts mails since they should be an A record at least). For sure, situation can be a bit different if you want to send mails with sender domains which is the same one with your MTA which is about to accept mails for that domain, otherwise eg no postmaster mails can be sent, and so on which is a problem. Also it can be important to be able to reply for the sender's mails :) But anyway, if you have only an MTA, which is about sending only, it's fine (till you handle the incoming mails for the domains you're sendign with somewhere else). I think most companies have different MTAs for "accepting" mails from the "outside" (called "MX servers" sometimes) and MTAs for sending mails "to the outside" and those won't accept any tcp/25 connection from outside, since that's the task of the MX servers not theirs.
Re: Closing port 25
Le 29/11/2010 08:53, Mauro a écrit : On 29 November 2010 01:56, Victor Duchovni wrote: On Sun, Nov 28, 2010 at 01:36:12PM -0700, ghe wrote: I run postfix and my mail clients use smtps so I was thinking I may as well close port 25. How can I do that? I'd use iptables or equivalent. I have my doubts about postfix itself because I think that'd be an RFC violation. So far... The above is nonsense. You don't have to accept traffic on port 25 of an MTA that is not an MX host (or whose IP is the A record) for a domain that needs to accept external email. How can you know if the inbound mail is coming from an MX host? Your server is the MX host. inbound mail comes from anywhere (well, almost...). there's nothing to do about this. it's how it works! if you open a shop for people to come and buy things, then you'll need to have at least one open door, and people will come in via that door(s). so focus on blocking spam using the well known and proven techniques...
