On 4/13/2013 3:44 PM, b...@bitrate.net wrote:
you offer no service whatsoever on port 25? postfix is not listening on that
port? if that's truly the case, then, to be pedantic, you're running an msa,
not an mta, in which case you could argue that is an exception to the rule, and
such global settings wouldn't necessarily be discouraged.
I do and I am offering SASL services, let me clarify. It might be useful
if I just include what the line looks like. This isn't what I was asking
about in my original email, and has been working fine for quite some
time, but just for clarification on this subject for others reading
here's the config:
1.2.3.4:smtp inet n - n - - smtpd -o
smtpd_sasl_auth_enable=no -o smtpd_tls_key_file=/etc/postfix/mail.key -o
smtpd_tls_cert_file=/etc/postfix/mail.crt -o myhostname=mail.server.com
1.2.3.4:submission inet n - n - - smtpd -o
smtpd_sasl_auth_enable=yes -o smtpd_tls_key_file=/etc/postfix/mail.key
-o smtpd_tls_cert_file=/etc/postfix/mail.crt -o myhostname=mail.server.com
I want only servers talking to port 25, not clients. Hence why I do not
permit authentication against the smtp port, only the submission port.
Then, in the smtpd_relay_restrictions, I permit authenticated clients to
relay.
> globally, smtpd_sasl_auth_enable should be off, and only enabled for
the specific services in master.cf which require it.
It is.
> really, neither of permit_mynetworks nor permit_sasl_authenticated
belong in any global restrictions.
Still confused as to why permit_sasl_authenticated shouldn't be in the
smtpd_relay/recipient_restrictions section. Is there a better place to
define smtpd_relay/recipients configuration instead of main.cf?
