Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: How to setup postfix to have port 25 for receive only
7 views
Skip to first unread message
Daniel L'Hommedieu
Jul 27, 2009, 8:32:53 AM7/27/09
to
On Jul 27, 2009, at 5:08, Magnus B=E4ck wrote:
> On Monday, July 27, 2009 at 10:56 CEST,
> Zbyszek <zbi...@o2.pl> wrote:
>
>> I googled everywhere, read how-tos but can not find solution for
>> simple problem in postfix:
>> I would like to have such config:
>> - smtp 25/tcp; only server-server communication, only
>> mail receive for local domain, no relay, no send, encryption =20
>> optional,
>> SPF, blocking 'servers' having ppp, adsl , dialup in domain name. No
>> auth because real remote servers always do not know credentials.
>> - submission 587/tcp;only send; encryption required; client-=20
>> >server
>> - smtps SSL 465/tcp;only send; encryption required; client->server
>> My problem is:
>> I do not know how to:
>> -make postfix only receive mail on port 25 only for local domain.
>
> smtpd_recipient_restrictions =3D reject_unauth_destination
>
>> -block incoming mail from domains containing ppp, dialup or adsl
>> string in domain name.
>
> I don't think that's a terribly good idea, but anyway:
>
> main.cf:
> smtpd_client_restrictions =3D check_client_access pcre:/path/to/file
>
> /path/to/file:
> /(ppp|dialup|adsl)/ REJECT
>
> You can move the check_client_access restriction to any other
> smtpd_xxx_restrictions if you want. You probably want to implement a
> stricter regexp to avoid collateral damage. Stricter expressions have
> been posted here in the past. Finally, this assumes that your Postfix
> has PCRE support. If not, replace `pcre' with `regexp'.
> On Monday, July 27, 2009 at 10:56 CEST,
> Zbyszek <zbi...@o2.pl> wrote:
>
>> I googled everywhere, read how-tos but can not find solution for
>> simple problem in postfix:
>> I would like to have such config:
>> - smtp 25/tcp; only server-server communication, only
>> mail receive for local domain, no relay, no send, encryption =20
>> optional,
>> SPF, blocking 'servers' having ppp, adsl , dialup in domain name. No
>> auth because real remote servers always do not know credentials.
>> - submission 587/tcp;only send; encryption required; client-=20
>> >server
>> - smtps SSL 465/tcp;only send; encryption required; client->server
>> My problem is:
>> I do not know how to:
>> -make postfix only receive mail on port 25 only for local domain.
>
> smtpd_recipient_restrictions =3D reject_unauth_destination
>
>> -block incoming mail from domains containing ppp, dialup or adsl
>> string in domain name.
>
> I don't think that's a terribly good idea, but anyway:
>
> main.cf:
> smtpd_client_restrictions =3D check_client_access pcre:/path/to/file
>
> /path/to/file:
> /(ppp|dialup|adsl)/ REJECT
>
> You can move the check_client_access restriction to any other
> smtpd_xxx_restrictions if you want. You probably want to implement a
> stricter regexp to avoid collateral damage. Stricter expressions have
> been posted here in the past. Finally, this assumes that your Postfix
> has PCRE support. If not, replace `pcre' with `regexp'.
Magnus,
I can see why he would want to do that - 99% of the spam I get is from =20=
US-based cable modem- and DSL-hosted systems. My host - earthlink - =20
recently reconfigured their routers to disallow outbound email that =20
doesn't go through their servers, and I wish all ISPs would do that.
Thanks for telling us how to do this - I'm going to configure it and =20
try it out.
Daniel=
Jon
Jul 27, 2009, 12:22:13 PM7/27/09
to
>
> I can see why he would want to do that - 99% of the spam I get is from
> US-based cable modem- and DSL-hosted systems. My host - earthlink -
> recently reconfigured their routers to disallow outbound email that
> doesn't go through their servers, and I wish all ISPs would do that.
>
>
Perhaps . . . but I've been getting relayed spam trough XO's legitimate
SMTP servers for a few years now. Using the ISP doesn't exactly solve
or possibly even reduce the problem.
Scott Haneda
Jul 27, 2009, 5:29:38 PM7/27/09
to
>> smtpd_client_restrictions = check_client_access pcre:/path/to/file
>>
>> /path/to/file:
>> /(ppp|dialup|adsl)/ REJECT
>>
>> You can move the check_client_access restriction to any other
>> smtpd_xxx_restrictions if you want. You probably want to implement a
>> stricter regexp to avoid collateral damage. Stricter expressions have
>> been posted here in the past. Finally, this assumes that your Postfix
>> has PCRE support. If not, replace `pcre' with `regexp'.
>
> Magnus,
>
>>
>> /path/to/file:
>> /(ppp|dialup|adsl)/ REJECT
>>
>> You can move the check_client_access restriction to any other
>> smtpd_xxx_restrictions if you want. You probably want to implement a
>> stricter regexp to avoid collateral damage. Stricter expressions have
>> been posted here in the past. Finally, this assumes that your Postfix
>> has PCRE support. If not, replace `pcre' with `regexp'.
>
> Magnus,
>
> I can see why he would want to do that - 99% of the spam I get is
> from US-based cable modem- and DSL-hosted systems. My host -
> earthlink - recently reconfigured their routers to disallow outbound
> email that doesn't go through their servers, and I wish all ISPs
> would do that.
>
> from US-based cable modem- and DSL-hosted systems. My host -
> earthlink - recently reconfigured their routers to disallow outbound
> email that doesn't go through their servers, and I wish all ISPs
> would do that.
>
> Thanks for telling us how to do this - I'm going to configure it and
> try it out.
Wouldn't using a Dial-up and Dynamic Black List catch these, and do so
with greater accuracy since most of them delist those that were listed
in error? Add in score based analytics on the BL's and it seems you
could be more aggressive, with a lot less risk.
I personally find greylisting catches the lions share of the dialup
and dynamic ranges at this time, though I am not sure how much longer
that tactic is going to work so well.
--
Scott * If you contact me off list replace talklists@ with scott@ *
Zbyszek
Jul 28, 2009, 3:33:43 AM7/28/09
to
Magnus B�ck pisze:
> On Monday, July 27, 2009 at 10:56 CEST,
> Zbyszek <zbi...@o2.pl> wrote:
>
>
>> I googled everywhere, read how-tos but can not find solution for
>> simple problem in postfix:
>> I would like to have such config:
>> - smtp 25/tcp; only server-server communication, only
>> mail receive for local domain, no relay, no send, encryption optional,
>> SPF, blocking 'servers' having ppp, adsl , dialup in domain name. No
>> auth because real remote servers always do not know credentials.
>> - submission 587/tcp;only send; encryption required; client->server
>> - smtps SSL 465/tcp;only send; encryption required; client->server
>> My problem is:
>> I do not know how to:
>> -make postfix only receive mail on port 25 only for local domain.
>>
>
> smtpd_recipient_restrictions = reject_unauth_destination
>
>
>> -block incoming mail from domains containing ppp, dialup or adsl
>> string in domain name.
>>
>
have a nice day,
Zbigniew
> On Monday, July 27, 2009 at 10:56 CEST,
> Zbyszek <zbi...@o2.pl> wrote:
>
>
>> I googled everywhere, read how-tos but can not find solution for
>> simple problem in postfix:
>> I would like to have such config:
>> - smtp 25/tcp; only server-server communication, only
>> SPF, blocking 'servers' having ppp, adsl , dialup in domain name. No
>> auth because real remote servers always do not know credentials.
>> - smtps SSL 465/tcp;only send; encryption required; client->server
>> My problem is:
>> I do not know how to:
>> -make postfix only receive mail on port 25 only for local domain.
>>
>
>
>
>> -block incoming mail from domains containing ppp, dialup or adsl
>> string in domain name.
>>
>
> I don't think that's a terribly good idea, but anyway:
>
> main.cf:
> smtpd_client_restrictions = check_client_access pcre:/path/to/file
>
> /path/to/file:
> /(ppp|dialup|adsl)/ REJECT
>
> You can move the check_client_access restriction to any other
> smtpd_xxx_restrictions if you want. You probably want to implement a
> stricter regexp to avoid collateral damage. Stricter expressions have
> been posted here in the past. Finally, this assumes that your Postfix
> has PCRE support. If not, replace `pcre' with `regexp'.
>
>
Thank you.>
> main.cf:
> smtpd_client_restrictions = check_client_access pcre:/path/to/file
>
> /path/to/file:
> /(ppp|dialup|adsl)/ REJECT
>
> You can move the check_client_access restriction to any other
> smtpd_xxx_restrictions if you want. You probably want to implement a
> stricter regexp to avoid collateral damage. Stricter expressions have
> been posted here in the past. Finally, this assumes that your Postfix
> has PCRE support. If not, replace `pcre' with `regexp'.
>
>
have a nice day,
Zbigniew
0 new messages