Le 13/03/2012 00:25, Patrick Ben Koetter a écrit : > Wietse et al. > > With the arrival of postscreen, but also before I find myself repeatedly > changing the defaults for the 'submission' service in master.cf. I believe the > changes I apply are not rooted in my local mail policies, but of general > nature. > > Now that submission has become more popular I'd like to discuss if the current > settings should be modified to work better with an MTA that runs different > policies for port 25 and 587, which I believe has become the standard use case > for 'a mailserver'. > >[sip] > > I would add the following filters to reject "messages that are not in > conformance" in order to gain basic transportability and better deliverabilty: > > reject_non_fqdn_sender > reject_non_fqdn_recipient > reject_unknown_sender_domain > reject_unkown_recipient_domain >
while I like such checks in order to detect virus/trojan attacks, we're not there yet. more efforts are needed to educate hosters as well as application developers > I'd also add header fields if the authenticated client failed to: > > always_add_missing_headers=yes > > And finally I'd change the current settings for smtpd_tls_security_level and > smtpd_delay_reject regarding the submission service: > > smtpd_tls_security_level > I would not enforce TLS as the submission RFC only says "SHOULD" on TLS and > therefore would only set 'may' as preconfigured setting. I'd leave it to the > postmaster to set a stricter policy. I personally keep changing this all the > time since I configure and test SASL first and once that works as expected > turn to TLS. Opportunistic TLS as default would make this easier without > breaking RFCs. > > smtpd_delay_reject > For convenience reasons I'd add this setting and set it to 'yes'. Eversince > postscreen has been around I've been switching to smtpd_delay_reject=no and > more aggressive filtering on port 25. I believe many have done so. > Unfortunately setting it to 'no' breaks the assigned smtpd_client_restrictions > for the submission service - the client will be rejected before it was able to > authenticate. > > > All in all I think these changes would make a submission service more useful > out of the box. > > What do you think? > > p@rick >
