Wietse et al. With the arrival of postscreen, but also before I find myself repeatedly changing the defaults for the 'submission' service in master.cf. I believe the changes I apply are not rooted in my local mail policies, but of general nature.
Now that submission has become more popular I'd like to discuss if the current settings should be modified to work better with an MTA that runs different policies for port 25 and 587, which I believe has become the standard use case for 'a mailserver'. In RFC 5598 "Internet Mail Architecture" Dave Crocker writes about the submission service: 4.3.1. Mail Submission Agent (MSA) A Mail Submission Agent (MSA) accepts the message submitted by the aMUA and enforces the policies of the hosting ADMD and the requirements of Internet standards. An MSA represents an unusual functional dichotomy. It represents the interests of the Author (aMUA) during message posting, to facilitate posting success; it also represents the interests of the MHS. ... The hMSA takes transit responsibility for a message that conforms to the relevant Internet standards and to local site policies. It rejects messages that are not in conformance. The MSA performs final message preparation for submission and effects the transfer of responsibility to the MHS, via the hMSA. The amount of preparation depends upon the local implementations. Examples of aMSA tasks include adding header fields, such as Date: and Message-ID:, and modifying portions of the message from local notations to Internet standards, such as expanding an address to its formal IMF representation. -- http://tools.ietf.org/rfc/rfc5598.txt This said, I think the submission service should be expanded and modified. I would add the following filters to reject "messages that are not in conformance" in order to gain basic transportability and better deliverabilty: reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unkown_recipient_domain I'd also add header fields if the authenticated client failed to: always_add_missing_headers=yes And finally I'd change the current settings for smtpd_tls_security_level and smtpd_delay_reject regarding the submission service: smtpd_tls_security_level I would not enforce TLS as the submission RFC only says "SHOULD" on TLS and therefore would only set 'may' as preconfigured setting. I'd leave it to the postmaster to set a stricter policy. I personally keep changing this all the time since I configure and test SASL first and once that works as expected turn to TLS. Opportunistic TLS as default would make this easier without breaking RFCs. smtpd_delay_reject For convenience reasons I'd add this setting and set it to 'yes'. Eversince postscreen has been around I've been switching to smtpd_delay_reject=no and more aggressive filtering on port 25. I believe many have done so. Unfortunately setting it to 'no' breaks the assigned smtpd_client_restrictions for the submission service - the client will be rejected before it was able to authenticate. All in all I think these changes would make a submission service more useful out of the box. What do you think? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
