On 31 Aug 2013, at 10:20 , Noel Jones <njo...@megan.vbhcs.org> wrote:
> reject_unauth_destination is what keeps you from being an open
> relay, and is required in either smtpd_recipient_restrictions or
> (postfix 2.10 and newer) smtpd_relay_restrictions.
Hmm. I did run several tests on the "are you an open relay" sites and passed
them all with that commented out. I uncommented it now, but the other
restrictions must have been doing a pretty good job.
>> -o smtpd_sasl_local_domain=$myhostname
>
> I don't think this parameter is used by dovecot. (unused parameters
> rarely cause problems other than operator confusion)
Good point, I think that was left over from something else.
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> you'll need to override the other smtpd_*_restrictions set in main.cf.
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>
>> -o syslog_name=submit-tls
>
> Good.
I don't have smtpd_sender restrictions set (probably because way back when I
went with the "put it all in smtpd_recipient_restrictions method).
>> and is client_restrictions the best choice for submission? I've see some
>> confs have both
>>
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
>>
>> Why?
>
> Remember, for mail to be accepted, it must pass *each* of the
> smtpd_*_restrictions sections. Also remember that every master.cf
> service inherits {built-in defaults + all main.cf settings} before
> applying any -o overrides.
Right, it seems odd to have the exact same restrictions on smtpd_data and
smtpd_client restrictions since if one passes, both will pass. I guess it
does't hurt anything, it just looks odd to me and I was curious if there was a
real reason.
> How you arrange your submission settings is up to you. I like to
> explicitly set all the smtpd_*_restrictions in submission, even if
> most of them are empty, to prevent surprises later when I change
> something in main.cf.
>
> I think the minimum requirements for submission can be stated as 1)
> allow all AUTH users, 2) reject everyone else. With widely used
> postfix main.cf smtpd_*_restrictions settings that prepend
> everything with "permit_mynetworks, permit_sasl_authenticated", (and
> thereby allow AUTH on port 25) it's sufficient to use "-o
> smtpd_ANYTHING_restrictions=permit_sasl_authenticated,reject" and
> still meet the minimum requirements.
>
> When you change your main.cf so that AUTH is not allowed on port 25,
> then additional settings are required in master.cf/submission to
> insure you don't reject AUTH users.
Ah... um.. let me see if I have this straight then. I do not have sasl settings
like smtpd_sasl_auth_enable = yes in my postconf, so sasl and auth are NOT
available on port25, but I still have
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
in main.conf.
In several places in main.cf I have permit_sasl_authenticated. Should I only
have that in master.cf under submission?
--
7-Up? What happened to Ups 1-6?
