>> Is it alright to send on port 25 from Squirrelmail when it's on the >> same machine as postfix? > > OK, but not optimal. Better to leave on 465 to separate the traffic. > >> That way I can make 587 require TLS and >> authentication but not require that local Squirrelmail encrypt or >> authenticate. > > You can use SquirrelMail on 587. It doesn't work right now because > of your smtpd_security_level=encrypt. You could change your > submission restrictions to something like > -o smtpd_security_level=may > -o mynetworks=127.0.0.1 > -o smtpd_tls_auth_only=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject > ... other stuff ... > > ie. allow localhost to submit mail plaintext with no auth; all > others require STARTTLS and auth.
I've rearranged my config to the following. I don't think reject_plaintext_session is necessary given the rest of the config. Is there a situation I'm overlooking where it would come into play? Please consider everything else default. Is this OK? master.cf: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject main.cf: smtpd_recipient_restrictions = reject_unauth_destination, permit smtpd_tls_security_level = may smtpd_tls_auth_only = yes - Grant
