What are the changes performed when the Postfix – Strict Rules option is enabled in Plesk Email Security?

Question

What are the changes performed when Plesk Email Security > Settings > Postfix – Strict Rules is enabled?

Answer

Enabling Strict Rules updates the following directives in /etc/postfix/main.cf:

1. smtpd_sender_restrictions

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists,
permit_sasl_authenticated,
permit_mynetworks,
reject_authenticated_sender_login_mismatch,
reject_unknown_client_hostname,
reject_unknown_sender_domain

Added entries inside this setting (compared to non-strict):

• permit_mynetworks — allow clients listed in $mynetworks (trusted IPs) to pass this stage.
• reject_authenticated_sender_login_mismatch — reject if authenticated username ≠ MAIL FROM address (prevents account-based spoofing).
• reject_unknown_client_hostname — reject if client reverse DNS is missing/invalid.
• reject_unknown_sender_domain — reject if sender domain lacks valid DNS (MX/A).
• Effect: strict anti-spoofing and DNS hygiene enforcement.
  Risk: may block legitimate senders with broken/missing rDNS or sender DNS.

2. smtpd_recipient_restrictions

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_helo_hostname

• reject_invalid_helo_hostname — reject malformed HELO/EHLO hostnames (illegal characters/bad syntax).

Effect: blocks many spambots and misconfigured clients.
Risk: broken MTAs that send invalid HELO strings will be rejected.

3. smtpd_timeout

• + smtpd_timeout = 300s

Effect: reduces idle session window to 5 minutes, mitigating resource-hogging/slowloris behavior.
Risk: very slow clients might time out (rare).

4. HELO enforcement

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname

• smtpd_helo_required = yes — require HELO/EHLO from all clients.
• reject_non_fqdn_helo_hostname — reject non-FQDN greetings (e.g. localhost, single labels).
• reject_unknown_helo_hostname — reject greetings that don’t resolve in DNS.
• Trusted bypass: clients permitted by permit_mynetworks or permit_sasl_authenticated skip these checks.

Effect: strong protection against spambots and poorly configured MTAs.
Risk: some legitimate but sloppy senders may be rejected until they fix DNS/HELO.

Note: All rejections are logged in /var/log/maillog