Jake Vickers wrote:
I currently have all my users using the submission port for outgoing
mail.
good.
They cannot send on port 25 at this time, and according to all of
the online tests I have tried I am not an open relay or backscatter
sprayer.
My master.cf currently shows:
smtp inet n - - - - smtpd
-o smtpd_use_tls=no
-o smtpd_sasl_auth_enable=no
-o content_filter=smtp-amavis:[127.0.0.1]:10024
If I change smtpd_sasl_auth_enable to yes, it allows some devices
(handhelds, Treo, etc.) to send on port 25 if authenticated, but I want
to make sure that this does not turn me into a relay or anything before
doing so. I have attempted to relay through it while it's enabled, and
they were denied. I decided to err on the side of caution and check
with the experts here before "just doing it" in case there were any
pitfalls or gotchas I do not know about.
open relay is when you relay mail for "strangers". if you relay mail for
your users, that's not open relay.
relay control is done in smtpd_recipient_restrictions. a common
sasl-enabled setup looks like this:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
...
so relay is allowed from mynetworks and for authenticated senders. if
all your users must authenticated, then configure mynetworks to only
include those servers that need to relay without authentication. For
example:
mynetworks = 127.0.0.1
if you have internal machines that need to relay via port 25 and can't
(or shouldn't) authenticate, then add them to mynetworks.
