|reply to PToN |
Re: Email with dynamic IP blocks
Letting users do smpt mail is a security risk unless your doing SSL connections, which by the sound of it your not, its all clear text, authenticated or not. You should be enforcing vpn to use your corporate send mail if its not local traffic.
If you don't want to do vpn or SSL, the next best step is for https web mail portal for all mail that is not on the local network.
We are doing SSL connections. I dont know where you got that from.
Postfix is setup to forward all mail to "pmx:localhost:10025". PureMessage gets every email and the first test is to decide whether it is from any of my internal (192.168) networks or external networks. The attachment shows the tests done to every email.
I have "smtpd_sasl_authenticated_header=yes" so i guess i could check for this header on the "Mail from internal hosts" test and catch it there.
BranoI hate VogonsPremium,MVMReviews:
To add to my earlier note.
Regular mail is delivered via port 25 as usual.
Internal users have to go through submission port 587/TLS which then sends them to alternative filtering queue that is for example not checking the source IP/domain checks.
Submission port 587 is becoming de-facto standard for submission mail from end users, you should consider switching to it and use 25 for inbound mail. Then you can force TLS on 587 and do alternative filtering easy. All easily done with postfix.