Sahil Tandon wrote, at 03/13/2009 08:36 PM: > Jorey Bump wrote: >> LuKreme wrote, at 03/13/2009 04:26 PM: >>> On 13-Mar-2009, at 10:49, Bill Cole wrote: >>> >>>> If you have a good port 587 config in master.cf, you may need no >>>> changes there. My submission entry for a server that accepts no port >>>> 25 submission from outside the LAN is: >>>> >>>> submission inet n - n - - smtpd >>>> -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes >>>> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject >>>> -o syslog_name=postfix/submit >>>> -o smtpd_milters= >>>> >>>> (If your main.cf doesn't define smtpd_milters, the last line is >>>> unnecessary) >>> That's nice to see. My master.cf is quite old, and the submission port >>> info is... lemme look >>> >>> Oh, my >>> >>> 587 inet n - n - - smtpd >>> >>> >>> That's it. Lemme at least change that. >> >> Here's an example for a recent Postfix: >> >> submission inet n - n - - smtpd >> -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > One point of clarification for others who may get tripped up by the > subtle difference between these two examples. In Bill's version, > smtpd_recipient_restrictions contains permit_sasl_authenticated, whereas > the latter is set in Jorey's smtpd_client_restrictions. I believe one > needs to permit_sasl in recipient_restrictions; at least in the context > of this thread, where it is suggested that "you remove permit_mynetworks > & permit_sasl_authenticated from your smtpd_*_restrictions in main.cf". > Otherwise SASL authenticated clients will be unable to relay (probably > blocked by reject_unauth_destination at RCPT TO).
Quite right. My example is from a site that still has permit_sasl_authenticated in smtpd_recipient_restrictions in main.cf. If you remove that, you need to adjust the submission service accordingly: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING This is also true of smtps (port 465) if you need to support older clients: smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING It may also be unnecessary or undesirable to remove permit_mynetworks from smtpd_*_restrictions in main.cf, depending on how you're using it.
