When the server is set up, there soon will be so many connection attempts before the announcement. Mostly they are malicious attempts and spam senders.
To block these kinds of connections efficiently, Postfix has built-in restriction configurations.
There are several restrictions groups - Postfix SMTP relay and access control
Here I go a bit more strict than the explanation above.
In short, the configuration below means;
# Comment out existing smtpd_relay_restrictions # (This is redefined with other restrictions in the below) #smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination # Restrictions message_size_limit = 20480000 disable_vrfy_command = yes unknown_hostname_reject_code = 554 unknown_address_reject_code = 554 unverified_sender_reject_code = 554 unverified_recipient_reject_code = 554 smtpd_helo_required = yes strict_rfc821_envelopes = yes mua_client_restrictions = permit_mynetworks, permit_sasl_authenticated mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname mua_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain mua_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination mua_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination mua_data_restrictions = reject_unauth_pipelining smtpd_client_restrictions = $mua_client_restrictions smtpd_helo_restrictions = $mua_helo_restrictions smtpd_sender_restrictions = $mua_sender_restrictions smtpd_relay_restrictions = $mua_relay_restrictions smtpd_recipient_restrictions = $mua_recipient_restrictions smtpd_data_restrictions = $mua_data_restrictions
Reload to apply new restrictions.
# systemctl reload postfix
Watching the mail log, it seems most connections are kicked by the helo_restrictions with non-FQDN hostname. Even the restrictions above are not enough, there are more powerful restrictions such as reject_unknown_helo_hostname or reject_unverified_sender. The reason why I don't use them is the side effects that may kick out the legitimate emails.
By narrowing the spam emails as much as possible at the entrance, the content filters later will require fewer loads.