I think, it's A & D: A: Restrict to domains hosted on this server: Yes, we want to receive mails addressed to the company domains from outside B: irrelevant C: Block port 25 on public networks: If we block port 25, we can't receive any emails, which conflicts to A. D: Restrict relay to outbound SMTP to internal network: Yes, we want only send outgoing emails to other SMTP servers, if they are coming from our internal network E: irrelevant

I think rather A&D

"maintaining the possibility to receive company mails" -> C is in conflict, if you block the SMTP port on public network, the company can't receive mails from outside (public) A -> We restrict reception to our domain only D -> We restrict only our private LAN to send to outside

I've found a "mynetworks" parameter, which is used to restrict the mail relaying by subnets mainly. So D option seems to be true. https://www.postfix.org/postconf.5.html#mynetworks

A and D are correct. Company supposed to receive mails from outside (public) but sending mail should be only possible to internal mail address. In this way preventing “open relay” (using mail outside of company to send to any other public mails) is partly rejected and just receiving from public and private internal are accepted by postfix server. ######### C is not correct because both inbound and outbound traffic of the port 26 will be blocked (rejected) on public Ethernet Network that means: iptables -A INPUT -i eth0-public -p tcp --dport 25 -j REJECT iptables -A OUTPUT -o eth0-public -p tcp --dport 25 -j REJECT

Thinking again I believe C and D looks fine