Follow

Part 1 - postfix of my mail server setup series is now on my blog at jan.wildeboer.net/2022/08/Emai - replies here will show up as comments there. Sorry, Twitter friends - that's a exclusive function :)

As I’ve said, I don’t use any local accounts on the mailserver. Zero. Nada.



Exactly what I do, all mail should be either immediately rejected, or passed on to Dovecot.

But why do you use

mydestination = localhost



Wouldn't it be better to explicitly set that to an empty value? A program that sends mail to root@localhost, for example, would have its mail accepted, and Postfix would store it on a place where nobody will ever check.

@hans Hm. I never tried with a completely empty mydestination. I do have programs that send to root@localhost though (some log file stuff) and it correctly gets forwarded to postmaster@ AFAICS, so I thought that's ok.

@😷 Jan Wildeboer Ah yes, root was a bad example. There's usually an entry for root in /etc/aliases that redirects it somewhere else.

@jwildeboer already curious about part 2 and 3. Do you know when they will be available?

@angry When they are ready :) I am recovering from surgery ATM, so no real planning possible. I hope I can get it done next week.

@jwildeboer Is there a raison why you put reject_invalid_hostname and other ip/domain relative restrictions in smtpd_recipient_restrictions rather than smtpd_recipient_restrictions, or event better, in smtpd_client_restrictions ?

@whilelm Mainly because doing it a bit later in the pipeline generates more log entries that fail2ban can pick up :)

@jwildeboer Oh ! There's no ip logged when rejection done at smtpd_client_restrictions ?

@whilelm I had some problems with fail2ban picking up those log lines. By moving the checks down a little, it started working. I didn't bother too much to dig deeper. Works, on to the next thing :)

@whilelm Here more details: postfix.org/SMTPD_ACCESS_READM under "Delayed evaluation of SMTP access restriction lists" TL;DR doing the checks at the smtpd_recipient_restrictions stage is OK, and could avoid some edge cases.

@whilelm Especially the second bullet point: "Postfix can log more useful information. For example, when Postfix rejects a client name or address and delays the action until the RCPT TO command, it can log the sender and the recipient address. This is more useful than logging only the client hostname and IP address and not knowing whose mail was being blocked."

@jwildeboer OK I see, thx for the precisions and the link.

I wasthinking that it could be insteresting and resources saving to check restrictions as soon as possible.

Maybe it is more thinking than usefull.

@whilelm Yep. I thought the same too. But seems it isn't needed. And after a few weeks of collected data, this setup is working nicely and doesn't use that many resources, so I stopped worrying :)

Sign in to participate in the conversation
social.wildeboer.net

Mastodon instance for people with Wildeboer as their last name