On 3/12/2013 1:35 PM, Alex wrote: > Hi, > >>> I have a really old system with an early version of postfix on it, but >>> I'm not sure the version really matters for my problem. I'm attempting >>> to use a pop-before-smtp hash as a way of providing authentication >>> prior to being able to use the server to send mail. However, it >>> doesn't appear to be working. I can telnet directly to port 25 from a >>> remote host and send mail to a local recipient on that server without >>> having authenticated through the pop-before-smtp system first. >> >> This is normal operation for a general-purpose mail server. Mail to >> local users can be received from anywhere (subject to spam >> controls). Only authorized users can relay to a third-party >> destinations. >> >> This is a typical setup for an internet-facing mail server. > > It's somewhat of an internal server, despite being connected to the > Internet. No one was ever supposed to connect to it directly, and > trying to convert everyone to SMTP Auth is going to be a challenge.
The config for an internal server is pretty simple, something like smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/allowed_clients check_client_access hash:/etc/postfix/pop-b-smtp # next line optional permit_mynetworks # finally, reject anything not explicitly allowed reject > >>> I'm working on >>> upgrading the server to use SMTP Auth, and only allowing port 25 from >>> trusted relays, but it's a long process. Don't bother until you've upgraded postfix. Getting AUTH (and TLS, which you'll need with AUTH) to work on ancient postfix isn't always easy, and you won't get much help here. And AUTH with dovecot wasn't supported until postfix 2.something. -- Noel Jones
