Jeff Weinberger wrote, at 01/08/2009 09:27 AM: > Setting smtpd_sasl_auth_enable = no would mean that no authentication is > required on port 25, but if I understand it correctly, it wouldn't > actually stop an authenticated user from sending mail through port 25. > If they tried to authenticate on port 25 with smtpd_sasl_auth_enable = > no, would postfix refuse the connection?
Actually, smtpd_sasl_auth_enable = no means that authentication is not enabled. IOW, Postfix won't offer 250-AUTH [mech list] after HELO/EHLO. Attempts to authenticate will generate an error. Most modern clients are intelligent enough to detect the absence of AUTH and will not attempt to authenticate. Good ones will abort and notify the user. Bad ones might attempt to continue, in case the server will still accept the message. If the domain is a destination your server handles, it will probably accept the message, otherwise it will reject it. > In the final step of my scenario, that's the behavior I want to achieve. > Will that simple step work? Yes. You can completely disable submission on port 25 and prevent relaying to destinations you don't accept by hosts outside of mynetworks.
