On 2/11/2011 12:07 PM, Benny Pedersen wrote:
On Fri, 11 Feb 2011 12:00:30 -0600, Noel Jones<njo...@megan.vbhcs.org>
wrote:
On 2/11/2011 11:57 AM, Benny Pedersen wrote:
postscreen_access_list = permit_sasl_authenticated, permit_mynetworks,
cidr:/etc/postfix/cidr/postscreen_access.cidr
will it work ?
No. Authentication happens in smtpd after postscreen is done.
i will like to see it supported for remote postfix servers that cant use
submissions
to avoid sasl users being tested in dnsbl
Best solution is to disable AUTH on port 25 and make
submission/587 and optionally smtps/465 available to your
users. This also helps users get around port 25 blocks by
ISPs and hotspots.
not the best option for me, but my users can live with it, but remote
servers will need tls on port 25 still
Don't confuse TLS with AUTH.
Clients, including any remote postfix servers, that regularly
connect to you with AUTH shouldn't have any trouble changing
their destination port.
Postscreen allows TLS, but currently doesn't have a pass
mechanism based on TLS. I suppose such a mechanism could be
added if enough people would use it, but software isn't free.
You can leave AUTH enabled on port 25, but note you may need
to whitelist some clients from postscreen. Clients on dynamic
connections are out of luck, and must migrate to submission or
smtps.
-- Noel Jones
