Re: Restricting port 25 with cidr table

Am 20.01.2012 11:55, schrieb Charles Marcus:

>> why are you not only opening from the allowed addresses in
>> the packet-filter (iptables)? so you have no log-entries
>> from spammers all over the world and any protection should
>> generally happen as wide as possible before the service
>
> I agree wholeheartedly and I do this as well, but I also believe in multi-layered
> security, so I would *definitely* also lock it down in postfix as above as well...

i normally too

if you have no MX records to your machine because they are all
to the spamfirewall you do not get much attempts to deliver mail
directly to it which are bruned down with greylisting/RBL

we have our own spamfirewall in front and only one domain points
with MX directly to the mailserrver, well i see no other delivery
attempts and they are mostly killed beause EHLO checks

i would put the spamfirewalls in "mynetworks", lock down
the amchine with iptables and for the case somethings goes
wrong with iptables the settings below eating spam

smtpd_helo_restrictions = permit_mynetworks
 permit_sasl_authenticated
 reject_non_fqdn_helo_hostname
 reject_invalid_helo_hostname
 reject_unknown_helo_hostname

smtpd_recipient_restrictions = permit_mynetworks
 ....... YOUR-SETTINGS ............
 reject_invalid_hostname
 reject_unknown_reverse_client_hostname
 reject_unauth_pipelining
 reject_rbl_client dnsbl-1.uceprotect.net
 check_policy_service unix:/var/spool/postfix/postgrey/socket

• This message: [ Message body ]
• Next message: lst_hoe02_at_nospam: "Re: Access Map"
• Previous message: Nikolaos Milas: "Re: Declaring options for submission port daemon"
• In reply to: Charles Marcus: "Re: Restricting port 25 with cidr table"
• Next in thread: Nikolaos Milas: "Re: Restricting port 25 with cidr table"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]