Jeff Weinberger wrote, at 01/08/2009 12:10 AM: > Hi: > > Based on good practice and the help and urging of some of the gurus on this > list, I am moving my users to using the submission service (port 587) > instead of port 25 to send mail from their mail clients. > > Once most of them move, I'd like to start warning the ones who don't that > they should (ok, maybe just bugging them). But then I was thinking I might > eventually want to require that they use port 587. > > My question is really two-fold: > > 1) using the controls in postfix, is it possible to prevent authenticated > users from using port 25 to submit mail? Is there a construct that would do > that without interfering with incoming mail from anywhere?
Yes, you can simply set smtpd_sasl_auth_enable = no (which is the default, so you could also remove the line, but being explicit might be more helpful in this case). You can also remove permit_sasl_authenticated from smtpd_*_restrictions, but it might be wise to leave it in place for the time being (it shouldn't cause any problems). Your submission service in master.cf should already have -o smtpd_sasl_auth_enable=yes in it. Keep in mind, however, that some users will still be able to use port 25 to send messages to domains that the server accepts mail for. To them, it may seem that relaying works inconsistently. > 2) even if it's possible, it is advisable (I know no one is shy about > offering opinions here, and I hope if you have one, you'll voice it :) )? The decision to restrict mail submission to port 587 depends on your needs. I manage some environments where this is enforced. I actually like the separation, but it sometimes requires additional support for legacy clients (achieved in various ways). In other environments with a more diverse and general population, I continue to allow submission on port 25, but only with mechanisms that are considered secure. You'll probably want to begin with this arrangement, as you are suggesting. It's kinder to your users, if you're not in any rush. The important thing is that you're opening port 587 (with sane settings) to support road warriors and users whose ISPs block outgoing connections to port 25. This move benefits them as much (if not more) as you.
