On Tuesday, March 13, 2012 07:46:09 PM Robert Schetterer wrote: > Am 13.03.2012 17:37, schrieb Patrick Ben Koetter: > > * Patrick Ben Koetter <postfix-users@postfix.org>: > >> * Wietse Venema <postfix-users@postfix.org>: > >>> Different sites have different needs, and perhaps it is an idea to > >>> provide *multiple* submission service examples in master.cf, all > >>> commented out of course. The first could be the recommended one: > >>> not allowing plaintext sessions is good as a general rule. The > >>> second example could allow plaintext sessions (level = may) but > >>> allow plaintext passwords only over encrypted sessions. > > > > Here are two examples we all seem to agree on. They differ in TLS > > (optional/mandatory) and the SASL mechanisms they allow depending on the > > TLS context. > > > > Additionally, both examples have SMTP session filters that check for > > syntactic deliverability (MSA job) and add required headers if they are > > missing. > > > > Filters and fixing headers is a change I'd propose, but nobody seems to > > have commented on yet. Agreed by everyone? > > > > As a safety net I would change smtpd_client_restrictions into > > smtpd_recipient_restrictions. This will give a client sufficient time to > > authenticate and permit_sasl_authenticated will work even if an admin > > changed the defaults for smtpd_delay_reject. It also makes it possible > > to filter for reject_non_fqdn_recipient, which the RFC I quoted says to > > be a MSA job. > > > > > > # submission example 1: Optional TLS with SASL methods safe to use over > > an # unencrypted network > > #submission inet n - - - - smtpd > > # -o smtpd_tls_security_level=may > > # -o smtpd_sasl_auth_enable=yes > > # -o smtpd_sasl_security_options=noplaintext,noanonymous > > # -o smtpd_tls_sasl_security_options=noanonymous > > # -o always_add_missing_headers=yes > > # -o > > smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_rec > > ipient,permit_sasl_authenticated,reject # -o > > milter_macro_daemon_name=ORIGINATING > > > > > > # submission example 2: Mandatory TLS and SASL only over an encrypted > > network #submission inet n - - - - smtpd > > # -o smtpd_tls_security_level=enforce > > # -o smtpd_sasl_auth_enable=yes > > # -o smtpd_tls_auth_only=yes > > # -o always_add_missing_headers=yes > > # -o > > smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_rec > > ipient,permit_sasl_authenticated,reject # -o > > milter_macro_daemon_name=ORIGINATING > > Hi Patrick, > > always_add_missing_headers (default: no) > > Always add (Resent-) From:, To:, Date: or Message-ID: headers when > not present. Postfix 2.6 and later add these headers only when clients > match the local_header_rewrite_clients parameter setting. Earlier > Postfix versions always add these headers; this may break DKIM > signatures that cover non-existent headers. > > are you sure that your example is safe with i.e dkim ?
The MSA should be doing the signing, not the MUA, so it should be. Scott K
