On Sun, Nov 21, 2010 at 10:18 PM, zhong ming wu <mr.z.m...@gmail.com> wrote: > On this list you will be asked for output of "postconf -n" and not > what you think is relevant.
Fair enough. I am going to try some things and if I am still having problems, will submit my full configuration to the list. > This is deprecated in favor of "smtpd_tls_security_level" > for your version of postfix. > > http://www.postfix.org/TLS_README.html > > Plus " smtpd_use_tls=yes" is the not the right config to use even with > older version. Thanks, I must not have read the TLS document carefully enough. I'm going back over it now. On Mon, Nov 22, 2010 at 12:00 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > It is not obvious to me which reasons you have in mind, you should be > explicit about your security goals. What threats do you want to mitigate? > You also don't specify whether your server is an MSA only, or also an > MX host. It appears the problem is more complicated than I previously thought. I think I am misunderstanding the intent of some of these security measures. My goals are simply to responsibly run an MX host that will not be abused by spammers and subsequently blacklisted. I was working with the preconceived notion that anonymous SMTP is always bad and should be disabled to prevent running an open relay; I see now that this is inaccurate and I'm reassessing my plans accordingly. > Postfix can't offer SASL mechanisms that Dovecot is not configured to > use. Other than that, you configure Postfix policy in Postfix. OK, that is what I suspected, and it makes sense, thanks. >> smtpd_tls_auth_only = yes > > With this SASL AUTH will NOT be available without TLS. So, this setting doesn't *require* TLS for SASL authentication, it *disables* SASL for non-TLS traffic. Is that accurate? > If you are able to submit email without TLS or SASL auth, you are > reporting configuration settings from the wrong main.cf file, or have > substantial overrides of these parameters in master.cf. Thank you for your detailed response, I am going to reevaluate my settings and may post again on this list if I continue to have problems. Chris
