/dev/rob0 a écrit :
> On Fri, Jan 08, 2010 at 10:23:38AM -0500, Wietse Venema wrote:
>> /dev/rob0:
>>> On Fri, Jan 08, 2010 at 08:37:16AM -0500, Shaun T. Erickson wrote:
>>>> Yes, this is what is shown in the SASL Howto and how I have had
>>>> my server's submission port configured in the past.
>>>>
>>>> However, in the 2.6.2 postfix distribution I'm trying to
>>>> configure now, the default definition of the submission port
>>>> uses the same restrictions, but it applies them to the
>>>> smtpd_CLIENT_restrictions parameter, NOT the
>>>> smtpd_RECIPIENT_restrictions parameter. I'm trying to
>>>> understand if that is just a typo in master.cf or if the change
>>>> is legit and, if so, why.
>>> Here's the example to which you refer:
>>> #submission inet n - n - - smtpd
>>> # -o smtpd_tls_security_level=encrypt
>>> # -o smtpd_sasl_auth_enable=yes
>>> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>
>>> If you have already configured your smtpd_recipient_restrictions in
>>> main.cf to allow SASL AUTH, this example does indeed work. It's
>>> probably not a typo, but I agree, it can be confusing. Why do this
>>> with smtpd_client_restrictions, and yet assume that you didn't have
>>> smtpd_sasl_auth_enable=yes in main.cf already?
>> The purpose of the submission service is to accept mail only from
>> authenticated clients.
>
> This, I understand.
>
>> The above submission entry implements this
>> particular requirement without depending on main.cf settings.
>
> This, I do not.
>
> $ /usr/sbin/postconf -dh smtpd_recipient_restrictions
> permit_mynetworks, reject_unauth_destination
>
> If a client from outside $mynetworks attempts to relay to external
> addresses, and AUTH succeeds, it passes smtpd_client_restrictions.
> But in smtpd_recipient_restrictions it gets "Relay access denied".
> It would work if either the client is in $mynetworks, or if the
> main.cf setting of smtpd_recipient_restrictions has had
> permit_sasl_authenticated added as per SASL_README.
>
>> This is done for robustness reasons.
>
> I think, as the OP noted, that the example is confusing, and should
> be changed as follows:
> #submission inet n - n - - smtpd
> # -o smtpd_tls_security_level=encrypt
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
No, because it will override the checks that one adds to
smtpd_recipient_restrictions (most people change this but don't touch
smtpd_client_restrictions). for example I don't accept non fqdn
addresses even for submission, and I do this under
smtpd_recipient_restrictions.
