- ... That s the general advice, yes, but the real issue is to keep your submission service separate from your mx service. You can allow submission on port 25Message 1 of 54 , Dec 4, 2012View SourceOn 04/12/12 20:54, Tomas Macek wrote:
> Everyone here says me, that MUAs should send their mails through 587. IThat's the general advice, yes, but the real issue is to keep your
> can't do that without iptables, because all the people here have Outlook
> Expresses setup with port 25 for sending emails from default configuration.
submission service separate from your mx service. You can allow
submission on port 25 and still have it separate from MX if that
submission service is on a different IP address to your MX. As an
example, say that your users currently submit to the host
mail.example.com, you can change the IP of mail.example.com to point to
a new IP (on the same server) and set up postfix so that it runs a
submission service on that IP on port 25. You can then point your MX
record to a different hostname (mx1.example.com) and point that to a
second IP address on the same server, postfix can then be configured so
that port 25 requests to that IP are treated as mx requests and not
submission. With this setup you get to separate your submission from
your mx but still don't have to require your users to make any changes
to their clients.
I would still also set up port 587 on the mail.example.com IP as
submission as well and try to encourage your users (at least the ones
you can) to use port 587 from now on.
Also, if they don't have authentication set up, then you can use
mynetworks to authenticate them, but you may be better off using a
check_client_access cidr table instead for better control of this.
- ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.Message 54 of 54 , Dec 4, 2012View SourceOn Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
> On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:Or better yet: replace it with postscreen.
> > I would still also set up port 587 on the mail.example.com
> > IP as submission as well and try to encourage your users (at
> > least the ones you can) to use port 587 from now on.
> What I would do, on Linux with IPv4 only, is create the submission
> port and use an iptables redirect for the alternate IP address:
> # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
> mail.example.com -j REDIRECT --to-port submission
> This saves the overhead (system and administrative) of running
> another smtpd on [mail.example.com]:25; he can leave his "smtp ...
> smtpd" service alone in master.cf.
> I should also add as a reply to Stan in the other subthread: lookTo clarify, I meant that if those Outlook Expresses are not yet
> above at the first quoted paragraph: "Outlook Expresses setup with
> ... default configuration."
> Yikes, bad news, very bad. If not doing content filtering nor
> policy limitation of submission now, he will be soon. And possibly
> losing his job in any case. Tomas is not in a good place right now.
compromised by malware, they will be, soon.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: