Simone Felici wrote:
My server has two interfaces with IP1 and IP2. I would like to setup
postfix to permit AUTH-SMTP only for sessions incoming on IP1 and
normal SMTP sessions on IP2.
I've only find how to apply restrictions on sender (ip/domain) but
have no idea how to manage different policies depend on which smtp-IP
is using the client.
Simone Felici wrote:
The first ip address should accept only clean smtp sessions, with
restrictions allowing smtp only from specific client-ip, ranges. This
is the actual situation in porduction and all is ok.
The second ip should accept only sasl auth smtp session. If the
authenitcation goes well, the the client can send without other check
and the client can have every ip he want.
Due company decisions, out smtp server accept sending messages only
if the customer is connected with our network. the second ip on the
server should introduce the possibility to send (only if
authenticated) from any network.
Is it possible to setup on the same server?
What you're looking for is called the submission service. Accepted
practice has you split MTA relay and MUA submission onto to separate
ports, 25 for MTAs, 587 for MUAs. Require TLS+AUTH on port 587, disable
them[1] on port 25.
In main.cf:
smtpd_sasl_auth_enable = no
In master.cf:
submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_tls_security_level=encrypt
Set the other sasl- and tls-related settings in main.cf.
If you want to use port 25 on IP1 instead of port 587 on all
inet_interfaces, remove IP1 from inet_interfaces and change "submission"
to "IP1:smtp" in the master.cf excerpt above.
Keep in mind there is a growing number of ISPs which do not permit
outbound connections to port 25 from their user networks while port 587
is allowed by everyone except the most idiotic of network admins.
1: You can make TLS optional if you want opportunistic encryption when
talking to other MTAs.
