- Previous message: Alberto Lepe: "reject_unlisted_recipient"
- In reply to: Alberto Lepe: "Too strict?"
- Next in thread: mouss: "Re: Too strict?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: MacShane, Tracy (no email)
Date: Mon Mar 16 2009 - 21:14:00 EDT
> -----Original Message-----
> From:
> [mailto:] On Behalf Of Alberto Lepe
> Sent: Monday, 16 March 2009 4:18 PM
> To:
> Subject: Too strict?
>
> Hello, and thank you in advance for your time!
>
> I have been setting up a mail server since more than a week
> and after reading several posts/articles and some pages of
> the Postfix manual, I'm a little confused about how to setup
> the security.
> The mail server is outside my LAN and it will be used to
> serve some domains, with maybe 10 users per domain.
>
> This is my main.cf (restrictions):
>
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> permit_mynetworks,
> permit_sasl_authenticated,
> # reject_unknown_sender_domain,
> # reject_unknown_recipient_domain,
> reject_unauth_destination,
> reject_invalid_helo_hostname,
> reject_unlisted_recipient,
> reject_unlisted_sender,
> reject_invalid_hostname,
> # reject_non_fqdn_hostname,
> # reject_unknown_client_hostname,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> permit
>
Leaving aside the other comments people have made, I have
reject_unknown_sender_domain (AFTER reject_unauth_destination) and
reject_non_fqdn_hostname configured. The latter check in particular
rejects thousands of connections a day so I don't have to keep hitting
the Zen lookups. No FPs that I've ever been made aware of.
reject_unlisted_recipient is redundant, since it's "yes" by default (but
no harm leaving it in).
|
|
|