On 11/05/2012 11:31 PM, Roman Gelfand wrote:
I have setup postfix as mail gateway behind a firewall. There are 2
instances of smtpd. One for outgoing and the other for incoming.
The outgoing smtpd is listening on non-standard port enforcing tls.
Clearly, security is not as big of a concern for internal clients.
However, for remote clients, is this good enough or, perhaps, some
more security measures could be taken.
Thanks in advance
In general, you don't want to offer AUTH on an unsecured line.
You enforce this by setting
smtpd_tls_auth_only = yes
in your main.cf.
Then, in order to actually enforce AUTH, you order the restrictions
appropriately:
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
All this and more is extensively documented at
http://www.postfix.org/SASL_README.html#server_sasl_authc
http://www.postfix.org/TLS_README.html#server_tls_auth
--
J.
