From 9644958bdac5e38c677fa59f408b6cdd05af3dd5 Mon Sep 17 00:00:00 2001
From: Dominic Ricottone <me@dominic-ricottone.com>
Date: Sat, 12 Aug 2023 13:19:13 -0500
Subject: [PATCH] Tuning restrictions

---
 postfix/main.cf        | 4 ++--
 postfix/main.cf.tls-in | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/postfix/main.cf b/postfix/main.cf
index d72a5e7..432af51 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -33,8 +33,8 @@ anvil_rate_time_unit = 60s
 smtpd_client_auth_rate_limit = 10
 smtpd_client_connection_rate_limit = 10
 smtpd_client_new_tls_session_rate_limit = 10
-# reject if not authenticated
-smtpd_client_restrictions = permit_sasl_authenticated, reject
+# reject if client IP and hostname do not match EXCEPT if authenticated
+smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client_hostname
 # reject if HELO or EHLO hostname does not have a valid A or MX record
 smtpd_helo_restrictions = reject_unknown_helo_hostname
 smtpd_helo_required = yes
diff --git a/postfix/main.cf.tls-in b/postfix/main.cf.tls-in
index fb72a6b..943458f 100644
--- a/postfix/main.cf.tls-in
+++ b/postfix/main.cf.tls-in
@@ -34,8 +34,8 @@ anvil_rate_time_unit = 60s
 smtpd_client_auth_rate_limit = 10
 smtpd_client_connection_rate_limit = 10
 smtpd_client_new_tls_session_rate_limit = 10
-# reject if not authenticated
-smtpd_client_restrictions = permit_sasl_authenticated, reject
+# reject if client IP and hostname do not match EXCEPT if authenticated
+smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client_hostname
 # reject if HELO or EHLO hostname does not have a valid A or MX record
 smtpd_helo_restrictions = reject_unknown_helo_hostname
 smtpd_helo_required = yes
-- 
2.45.2