Paralife asked:
I would like to host mail services for some domains. I have succesfully setup postfix to consult sql for those virtual domains. What I would like to do is:
-
For connections on 25:
- Deny relaying (only deliver to recipients of my virtual domains)
- Leave tls optional, but offer auth only if client does tls
- Accept only non-blacklisted clients (e.g restrict XBL+SBL+PBL from spamhaus)
or clients that do tls and auth (“friend mail servers” that are setup to authenticate with me with auth and tls)
-
For connections on 587:
- Enforce tls and auth
- Permit relaying.
- Accept only non-blacklisted clients (blacklists like above but leave out PBL checking)
My Questions:
-
A. I know of the postfix options for the above , but I cant find how to differentiate them based on the listening port.
-
B. Will I run into widely known problems with supposedly legit clients with the above policy?
I am new to mail server setup, sorry for any meaningless question/assupmtion (please point it). Thanks.
My answer:
That’s easy,
-
In
/etc/postfix/main.cf
you will add/changesmtpd_tls_security_level=may
so that by default TLS is available (but optional).
-
Then, in your
/etc/postfix/master.cf
you will override it for port 587 (thesubmission
port) by overriding the parameter:submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt
This requires TLS for all submission (port 587) connections.
As for denying relaying, this is the default; relaying is allowed only for authenticated users, and IP addresses you specify in mynetworks
.
Finally you can add blacklists in main.cf
by appending to smtpd_recipient_restrictions
:
reject_rbl_client zen.spamhaus.org,
or whatever blacklists you wish. These should appear near the end of the list, just before the final permit
.
One last thing. For more ideas on how to prevent spam, see Fighting Spam – What can I do as an: Email Administrator, Domain Owner, or User?
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.