Phil Howard:
> I'm doing optional STARTTLS (e.g. smtpd_tls_security_level=may and
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination)
> on port 25.
>
> What should I be doing on port 587?
There's an example submission (port 587) service in recent master.cf
files:
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
This example should also have
-o smtpd_sasl_tls_security_options=noanonymous
to allow plain-text passwords over TLS.
Wietse
