* Patrick Ben Koetter <postfix-users@postfix.org>: > * Wietse Venema <postfix-users@postfix.org>: > > Different sites have different needs, and perhaps it is an idea to > > provide *multiple* submission service examples in master.cf, all > > commented out of course. The first could be the recommended one: > > not allowing plaintext sessions is good as a general rule. The > > second example could allow plaintext sessions (level = may) but > > allow plaintext passwords only over encrypted sessions.
Here are two examples we all seem to agree on. They differ in TLS (optional/mandatory) and the SASL mechanisms they allow depending on the TLS context. Additionally, both examples have SMTP session filters that check for syntactic deliverability (MSA job) and add required headers if they are missing. Filters and fixing headers is a change I'd propose, but nobody seems to have commented on yet. Agreed by everyone? As a safety net I would change smtpd_client_restrictions into smtpd_recipient_restrictions. This will give a client sufficient time to authenticate and permit_sasl_authenticated will work even if an admin changed the defaults for smtpd_delay_reject. It also makes it possible to filter for reject_non_fqdn_recipient, which the RFC I quoted says to be a MSA job. # submission example 1: Optional TLS with SASL methods safe to use over an # unencrypted network #submission inet n - - - - smtpd # -o smtpd_tls_security_level=may # -o smtpd_sasl_auth_enable=yes # -o smtpd_sasl_security_options=noplaintext,noanonymous # -o smtpd_tls_sasl_security_options=noanonymous # -o always_add_missing_headers=yes # -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING # submission example 2: Mandatory TLS and SASL only over an encrypted network #submission inet n - - - - smtpd # -o smtpd_tls_security_level=enforce # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o always_add_missing_headers=yes # -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
