Per olof Ljungmark:
> > I'd recommend separating authenticated from unauthenticated submission.
> > Enable submission (port 587) with authentication required, and remove
> > permit_sasl_authenticated from the smtpd instance on port 25. For the
> > submission port you could enable reject_sender_login_mismatch to
> > restrict senders to their own sender address. If you want them to be
> > able to use arbitrary addresses for mail sent to local recipients,
> > but disallow non-local sender addresses for outbound mail, you'll
> > probably have to use a policy service.
>
> Thank you for the tip. Then I have to figure out how to separate the two
> rulesets which I yet did not discover in the docs.
>
> Unfortunately we do have clients still using port 465 for sending so not
> sure if it is even possible.
>
> No other way to achieve this?
Separate your mail streams:
MTAs talk to port 25.
MUAs talk to port 587 (465 if they are pre-historic).
If that is not possible use DNS to separate the streams:
MTAs use MX records. Use a separate IP address for MTA service.
MUAs use A records. Use a separate IP address for MUA service.
Or at least that's what is supposed to happen.
Wietse
