On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote: Noel: > > Probably better is to only offer AUTH on submission port 587 > > with required encryption, and not offer AUTH at all on port 25. > > That is exactly what I want to do. If I uncomment this in the > master.cf does it force TLS encryption on port 587 before > authentication? If not, how would I do that? > > submission inet n - - - - smtpd > -o smtpd_tls_security_level=encrypt
This means any command after EHLO and before STARTTLS will be rejected. TLS encryption is mandatory. See smtpd_tls_auth_only as well; that would mean that AUTH is not even offered in the initial unencrypted EHLO response. The client must STARTTLS first. > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject If you're not allowing relay on port 25, you would remove permit_* restrictions from smtpd_recipient_restrictions in main.cf and change this from client to recipient. > -o milter_macro_daemon_name=ORIGINATING A non-standard smtpd instance should also have syslog_name set, to distinguish it in logs from other smtpd instances. -o syslog_name=postfix/submission > Further, how do I not allow AUTH on port 25. I can't glean it > from the docs. By default AUTH is not offered. You enabled that with this in main.cf: smtpd_sasl_auth_enable = yes If you remove that, you do not offer AUTH. You already have the override set for submission. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
