Loading ...
Sorry, an error occurred while loading the content.

Re: avoiding overload on port 587

Expand Messages
  • Stan Hoeppner
    ... You might want to look into these as well: -o content_filter= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
    Message 1 of 54 , Dec 3, 2012
    • 0 Attachment
      On 12/3/2012 2:30 AM, Tomas Macek wrote:

      > OK, so I spent some time reading config params in doc and topics in
      > various forums and decided to setup my submission port 587 like this:
      >
      > submission inet n - n - - smtpd
      > -o smtpd_etrn_restrictions=reject
      > -o smtpd_sasl_auth_enable=yes
      > -o
      > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      >
      >
      > I decided not to use the "smtpd_sasl_exceptions_networks = $mynetworks",
      > because I experienced, that Opera M2 mail client sends the auth
      > credentials even if none auth is offered by the mail server... don't
      > know why, but maybe there is still some other mail client with this
      > strange behaviour...
      >
      > Do you agree with this setup? Any further recomendations?

      You might want to look into these as well:

      -o content_filter=
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o receive_override_options=no_unknown_recipient_checks,\
      no_address_mappings,no_header_body_checks

      These disable restrictions configured elsewhere in the system that
      target public client MTAs. This is a submission service, so you
      probably want to disable many of the existing restrictions, such as
      DNSBL lookups, SpamAssassin, etc, which will cause rejections, or users'
      outbound mail possibly being marked as spam. And obviously server
      processing load increases due to more mail going through SA if you don't
      disable SA for this service.

      --
      Stan
    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
      • 0 Attachment
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        >
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        >
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        >
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        >
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.