LuKreme wrote, at 03/13/2009 11:53 AM: > On 13-Mar-2009, at 09:04, Jorey Bump wrote: >>> For the people still supporting the antiquated model of accepting mail >>> submission via SMTP rather than a proper port 587 daemon, it is >>> important to make allowances for the fact that MUA's frequently have no >>> better choice for their HELO argument than an IP literal, and sometimes >>> even that is pretty lousy (i.e. an ephemeral RFC1918 private IP) >> >> MUA HELOs are problematic in many ways. But you're absolutely right, >> this is best handled by delaying this sort of check_helo_access until >> smtpd_recipient_restrictions, after permit_mynetworks & >> permit_sasl_authenticated, if you support submission on SMTP port 25 on >> an MX server. > > OK, this piqued my interest. I have 587 setup, and I also have a couple > of alternate ports in the 1025+ range to deal with any users unlucky > enough to be behind draconian ISPs, but I do still accept mail on port > 25. In fact, I wasn't even aware that you could force users to use the > submission port. > > Where's the read me on configuring master.cf for this, as I think it > might be worth looking at.
Forcing users to submit mail to port 587 basically means dropping support for relaying to external domains on port 25. This poses less of a problem now than it did in the past, since nearly all modern clients support STARTTLS on alternate ports. Essentially, you remove permit_mynetworks & permit_sasl_authenticated from your smtpd_*_restrictions in main.cf, so they will no longer be exempt from the more strict checks (although a handful may still be able to send directly to the domains you handle). If you configure port 587 properly (the default in master.cf is usually fine), you can notify your users to switch. Then it's basically rinse, lather, repeat until you have a minority that need to be targeted individually. Once you've migrated users to your satisfaction, remove support from main.cf. BTW, what ISPs are blocking port 587? This is disturbingly wrong.
