For system administrators maintaining 60r3 in production, the message is clear: But treat it like a classic car. Keep it behind proper firewalls, monitor its logs obsessively, and have a migration plan for the day an ISP finally demands a cipher suite it cannot provide.
# Disable HTTP admin from network (only localhost) http-mgmt-port 0 # Disable command-line remote management cli-access-control deny all PowerMTA 60r3 logs heavily to /var/log/pmta/ . Use logrotate to prevent disk fills: powermta 60r3
Here are the standout features in 60r3: Prior to v6, throttling was primarily IP-based. 60r3 introduced granular domain-level throttling. You can now limit sending to yahoo.com to 500 messages/second while allowing internalcorp.com to run at 10,000/sec. Use logrotate to prevent disk fills: Here are
<dsn-rule 550_5.1.1> pattern "550 5.1.1.*User unknown" category hard-bounce action reject </dsn-rule> <dsn-rule 450_4.2.2> pattern "450 4.2.2.*Mailbox full" category soft-bounce action requeue retry-interval 3600 </dsn-rule> Because 60r3 is older, it does not natively support modern TLS 1.3 (only TLS 1.2). Security must be handled at the network and OS level. 5.1. Restrict Pickup Directories PowerMTA monitors directories for new .msg files. Ensure permissions are locked: <dsn-rule 550_5
PowerMTA 60r3 is a workhorse. One properly tuned instance can replace an entire cluster of Postfix servers. Part 8: Licensing and Support Reality for PowerMTA 60r3 This is the most critical section for businesses.
/var/log/pmta/fifo.log daily rotate 7 compress postrotate /etc/init.d/pmta restart log endscript
chown pmta:pmta /var/spool/pmta/pickup chmod 750 /var/spool/pmta/pickup # Allow only authorized injection ports (25, 587, 2525) iptables -A INPUT -p tcp --dport 25 -s 10.0.0.0/8 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j DROP 5.3. Disable Unused Services In pmta config , ensure the following are disabled if not needed: