M postfix/main.cf => postfix/main.cf +18 -1
@@ 27,12 27,29 @@ transport_maps = lmdb:/etc/postfix/transport
# Logging
maillog_file = /dev/stdout
+# Restrictions
+# reject if attempted to connect or authenticate 10 times in 60 seconds
+anvil_rate_time_unit = 60s
+smtpd_client_auth_rate_limit = 10
+smtpd_client_connection_rate_limit = 10
+smtpd_client_new_tls_session_rate_limit = 10
+# reject if not authenticated
+smtpd_client_restrictions = permit_sasl_authenticated, reject
+# reject if HELO or EHLO hostname does not have a valid A or MX record
+smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_helo_required = yes
+# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
+smtpd_sender_restrictions = reject_unknown_sender_domain
+# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
+smtpd_relay_restrictions = reject_unauth_destination
+# if RCPT TO hostname IS in $mydestination, apply no further restrictions
+smtpd_recipient_restrictions =
+
# Authentication
cyrus_sasl_config_path = /etc/sasl2/
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
-smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
M postfix/main.cf.tls-in => postfix/main.cf.tls-in +18 -1
@@ 28,9 28,26 @@ transport_maps = lmdb:/etc/postfix/transport
# Logging
maillog_file = /dev/stdout
+# Restrictions
+# reject if attempted to connect or authenticate 10 times in 60 seconds
+anvil_rate_time_unit = 60s
+smtpd_client_auth_rate_limit = 10
+smtpd_client_connection_rate_limit = 10
+smtpd_client_new_tls_session_rate_limit = 10
+# reject if not authenticated
+smtpd_client_restrictions = permit_sasl_authenticated, reject
+# reject if HELO or EHLO hostname does not have a valid A or MX record
+smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_helo_required = yes
+# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
+smtpd_sender_restrictions = reject_unknown_sender_domain
+# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
+smtpd_relay_restrictions = reject_unauth_destination
+# if RCPT TO hostname IS in $mydestination, apply no further restrictions
+smtpd_recipient_restrictions =
+
# Authentication
cyrus_sasl_config_path = /etc/sasl2/
-smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd