[pfx] Re: IP discard for authenticated e-mails

[Bill Cole via Postfix-users]

On 2025-02-03 at 21:55:14 UTC-0500 (Tue, 4 Feb 2025 03:55:14 +0100)
Ellie via Postfix-users <e...@horse64.org>
is rumored to have said:
On 2/3/25 11:56 PM, Wietse Venema via Postfix-users wrote:
If this is for messages submitted on port 587 (submission) or 465
(smtps or submissions), then you can simply delete all Received:
message headers, because there shuold be only one.
Thanks so much for your helpful response! I wonder, does postfix 
reject unauthenticated mail from port 587 and 465, in the common 
config where open relay access is disabled?

If  configured to be conforming to the relevant RFC 
(https://www.rfc-editor.org/rfc/rfc6409#section-4.3_) yes. That is the 
most common (and sensible) config for the submission ports. We'd need to 
see your master.cf details to know for sure:  `postconf -Mf' output 
would be useful.

Here's what mine looks like for the 2 submission services:

submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submit
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING-TLS

The critical part for rejecting unauthenticated sessions is the trailing 
'reject' in smtpd_recipient_restrictions.

From reading my own master.cf I feel like it doesn't. Wouldn't it then 
strip from some external incoming mail as well? That would seem a 
little strange.

Because 465 and 587 are ONLY supposed to be used for initial submission 
and should be restricted to authenticated clients, this should not be a 
problem.


--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
 (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)
 Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org