Filtering part of main.cf

main.cf

###

# Reject message immediately when rejected by an ACL (or it could pass the auth phase)
smtpd_delay_reject = no
# Requires HELO or EHLO before sending an EMAIL
smtpd_helo_required = yes

# Filtering order                      # Informations available at that step
# 1 smtpd_client_restrictions          # remote IP address, its DNS reverse, forward of the reverse
# 2 smtpd_helo_restrictions            # + name presented
# 3 smtpd_sender_restrictions          # + envelope sender
# 4 smtpd_relay_restrictions           # + envelope recipient
# 5 smtpd_recipient_restrictions
# 6 smtpd_data_restrictions            # + number of recipients
# 7 smtpd_end_of_data_restrictions

smtpd_client_restrictions =
    # Whitelist first - Permit trusted network to send email without verification
    permit_mynetworks,
    # Whitelist first - Permit authenticated - append domain name
    permit_sasl_authenticated,
    # Check if reverse(ip_src)!=NULL, will reject with 450 4.7.1
    reject_unknown_reverse_client_hostname,
    # Check if query(reverse(ip_src)=ip_src, will reject with 450 4.7.25
    reject_unknown_client_hostname,
    # Default is permit, written here to be explicit
    permit

smtpd_helo_restrictions =
    # Whitelist first - Permit trusted network to send email without verification
    permit_mynetworks,
    # Whitelist first - Permit authenticated - append domain name
    permit_sasl_authenticated,
    # Malformed hostname
    reject_invalid_helo_hostname,
    # Non-fqdn hostname in EHLO, will reject with 504 5.5.2
    reject_non_fqdn_helo_hostname,
    # No A or MX record for hostname in EHLO
    reject_unknown_helo_hostname,
    # Default is permit, written here to be explicit
    permit

smtpd_sender_restrictions =
    # Non-fqdn hostname in MAIL FROM
    reject_non_fqdn_sender,
    # Postfix is not destination AND MAIL FROM has no or malformed A or MX
    reject_unknown_sender_domain,
    # SASL login does not match MAIL FROM in sender_login_maps (prevent external to send mail to local as @mydomain)
    reject_sender_login_mismatch,
    # Default is permit, written here to be explicit
    permit

smtpd_relay_restrictions =
    # Whitelist first - Permit trusted network to send email without verification
    permit_mynetworks,
    # Whitelist first - Permit authenticated - append domain name
    permit_sasl_authenticated,
    # Prevent from being an open relay, place non-recipient restrictions AFTER the reject_unauth_destination restriction - will reject with 554 5.7.1
    reject_unauth_destination,
    # Default is permit, written here to be explicit
    permit

smtpd_recipient_restrictions =
    # Whitelist first - Permit trusted network to send email without verification
    permit_mynetworks,
    # Whitelist first - Permit authenticated - append domain name
    permit_sasl_authenticated,
    # Prevent from being an open relay, place non-recipient restrictions AFTER the reject_unauth_destination restriction
    reject_unauth_destination,
    # Postfix is not destination AND RCPT TO has no or malformed A or MX
    reject_unknown_recipient_domain,
    # Non-fqdn hostname in RCPT TO
    reject_non_fqdn_recipient,
    # Default is permit, written here to be explicit
    permit

smtpd_data_restrictions =
    # Reject pipelining if it has not been negotiated first
    reject_unauth_pipelining,
    # Default is permit, written here to be explicit
    permit

# Reject pipelining if it has not been negotiated first - Reject with 554 5.5.0
smtpd_forbid_unauth_pipelining = yes
# Require that addresses received in SMTP MAIL FROM and RCPT TO commands are enclosed with <>
strict_rfc821_envelopes = yes

# Remove support for TLS < 1.2 because servers that use TLS but do not support higher versions are abandoned
smtpd_tls_protocols           = >=TLSv1.2
smtpd_tls_mandatory_protocols = >=TLSv1.2