On 8/17/2012 8:50 PM, James wrote: > > I apologize if this does show up on the list as a duplicate (it is not in the > archive (yet)). > I wasn't a member of the list when I sent it (I was rejoining). > > > -------- Original Message -------- > Subject: restrict submission > Date: Fri, 17 Aug 2012 01:05:24 -0400 > From: James <bjloc...@lockie.ca> > To: Postfix users Mailing List <postfix-users@postfix.org> > > Here's what I did and what I want. > I run my own postfix server for my domain. > I receive mail for my local users and I assume that is port 25. > I currently allow only the local domain to submit mail (if on another network > I use ssl port forwarding of port 25). > I would like for any authenticated user (from any network) to be able to > submit mail. > I was thinking of doing it with TLS but if I require TLS, will the server > still receive mail? > I started to setup TLS but Thunderbird alwways timed out and /var/log/mail > didn't say anything.
It's common practice to configure the submission port 587 to require TLS, and have your users submit mail there. This also helps to separate internet mail from authorized user mail, making it easier to apply different access policies to each. See the commented-out entries in master.cf for examples. This corresponds with the Thunderbird STARTTLS setting. I don't know if TBird supports authentication by tls certificates. Most clients must use SASL to authenticate. http://www.postfix.org/SASL_README.html > > This what I started with in /etc/postfix/main.cf (much prefer "postconf -n" output, rather than main.cf snips) > > smtpd_tls_loglevel = 3 Log levels above 1 are unlikely to be useful unless one is an expert in openssl protocols and internals. > smtpd_tls_cert_file=/backup/certs/mailcert.pem > smtpd_tls_key_file=/backup/certs/mailkey.pem > smtpd_tls_security_level = encrypt > smtpd_tls_req_ccert = yes Some clients choke on this setting. Best to leave it at the default "no" during testing. > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache > smtpd_tls_always_issue_session_ids = no Some clients choke on this setting. Best to leave it at the default "yes" during testing. > permit_tls_all_clientcerts = yes # this isn't even a command but was in the > documentation As documented, this goes under one of the smtpd_*_restrictions sections when you're using TLS certificates to authenticate. Putting random settings in main.cf is unlikely to help. Here's the official getting started guide. It's fairly easy to follow assuming your postfix is compiled with TLS support. http://www.postfix.org/TLS_README.html#quick-start Test your TLS implementation with openssl. To test port 25 connections: openssl s_client -connect server.example.com:25 -starttls smtp If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
