Peter <pe...@pajamian.dhs.org> schrieb: > On 06/08/2014 08:17 PM, Kai Krakow wrote: >> MX and Submission machine are the same postfix instance (and even the >> same worker process on port 25), it won't work. I'm planning to maybe >> change this in the future. But as with migrating all people to not submit >> on port 25 it is a long way to go. > > If you can't force your users off of port 25, then the next best thing > is to separate our your submission by IP address, if done correctly your > users will be able to stay on port 25, not have to change the hostname > (or any other settings in their MUA) and you will have separated out > submission from MX traffic and can treat the two with different configs.
Yes, that is the plan. Separate submission, MX, and mailboxes from each other, while during the same process migrate people to use port 587 on the new submission machine which has its port 25 hopefully closed... We already started to migrate new customers to port 587. But it is still on the same machine (though with a little different config), thus there's also port 25 available used by other customers. And those silly autodetection of older MUAs sticks to port 25 unencrypted. :-( So even new customers who redo their installations on their own silently go back to port 25. Maybe I'll add some flag into our user tables to block port 25 auth for new users. At least modern software does it right and tries 587 first, even Google Mail does it right if you configure an outgoing SMTP account. Apparently people tend to love old software and only use what they know. BTW: In this context, what's the best approach to put mailboxes on a separate machine? Let the LDA drop mails into NFS mounts, or let postfix transport the mails via transport_map into a machine which hosts the LDA (dovecot in our case)? -- Replies to list only preferred.
