On Tue, May 28, 2024 at 09:32:29PM -0400, John Hill via Postfix-users wrote:
> On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:
> > -o { smtpd_recipient_restrictions =
> > reject_rbl_client zen.spamhaus.org=127.0.0.4,
> > reject_sender_login_mismatch,
> > permit_sasl_authenticated,
> > reject }
>
>
> I had experimented and came close to this.
>
> I will use it.
>
> Question as I use zen 127.0.0.[2..11] on port 25
This is includes the PBL, covering much of the "dynamic" ISP consumer
address space, including homes, hotels, airports, ... You probably
don't want to block these. The XBL (127.0.0.4) is a conservative
choice. You might in fact want to reject XBL IPs early, before they
even attempt authentication. So I have:
465 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
(The "permit_mynetworks" is for a couple of machine-to-machine submission use
cases).
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
