Daniel Hopkirk:
> * XCLIENT passes through LOGIN for SASL username rather
> than original SMTP-AUTH credentials. Does postfix take this username
> and assume it's authenticated, or does the fact that the original
> credentials aren't passed through remove the ability to apply
> 'permit_sasl_authenticated' rules?
If NGNIX authenticates the user, then it makes no sense to ask the
user to authenticate a second time with Postfix. No client would
be able to handle that.
> * No mailboxes will live on these servers, they are scanning
> only however I can populate a database with a list of mailboxes
> on our network and the servers to relay the message to for local
> delivery. Is 'transport_maps' the correct area to be looking at
> to manage this?
If the primary MX address points to the NGNIX proxies, then yes, you
need transport_maps to deliver the mail to a different place.
> * On-Net, can send email to anywhere on or off net
>
> * Off-Net but SMTP-AUTH'd can send email as if they were on-net
>
> * And Off-Net general, that can only send email to users
> we host mail for. Being an open relay isn't fun for anyone that
> counts.
Basic configuration:
smtpd_relay_restrictions =
permit_mynetworks permit_sasl_autheticated reject_unauth-destination
This requires that the proxies use XCLIENT to specify the remote
SMTP client IP address and SASL login name.
Wietse
