Is it a problem if I enforce tls from master.cf? Everything else, I have in place. I suppose, I could rate limit from the same ip, password attempts, etc...
Thanks again On Mon, Nov 5, 2012 at 5:57 PM, Jeroen Geilman <jer...@adaptr.nl> wrote: > On 11/05/2012 11:31 PM, Roman Gelfand wrote: >> >> I have setup postfix as mail gateway behind a firewall. There are 2 >> instances of smtpd. One for outgoing and the other for incoming. >> The outgoing smtpd is listening on non-standard port enforcing tls. >> Clearly, security is not as big of a concern for internal clients. >> However, for remote clients, is this good enough or, perhaps, some >> more security measures could be taken. >> >> Thanks in advance > > > In general, you don't want to offer AUTH on an unsecured line. > > You enforce this by setting > > smtpd_tls_auth_only = yes > > in your main.cf. > > Then, in order to actually enforce AUTH, you order the restrictions > appropriately: > > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination > > All this and more is extensively documented at > > http://www.postfix.org/SASL_README.html#server_sasl_authc > http://www.postfix.org/TLS_README.html#server_tls_auth > > -- > J. >
