Re: Can postfix send encrypted but not authenticated emails ?

Thu, 28 Jun 2018 10:06:01 -0700 


> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo <angelo.fazz...@uconn.edu> 
> wrote:
> 
> Hi, I have been reading the online docs for  TLS_README.html and 
> SASL_README.html but still having trouble deducing if I can get Postfix 2.6 
> to accept email over port 587 without giving Postfix a username and password?

The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA.  While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.

Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.

> I would like to change it so postfix will accept email without a username and 
> password, specifically from Office 365, and with encryption [TLS].

If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.

  http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination
  http://www.postfix.org/VIRTUAL_README.html#canonical

> I would add that I am not looking to change the current config, but just add 
> this new ability.
>  
> Is it as simple as adding
> 
>                   smtpd_tls_security_level = may
> 
> into main.cf ?

To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.

        http://www.postfix.org/TLS_README.html#quick-start
 
> I also heard Postfix can use maybe Kerberos tickets

Cross-organizational Kerberos is not common.  And not needed in your
use case of relaying between MTAs.  Kerberos can be used as a SASL
mechanism on port 587 between the MUA and the submission service.
This message's first hop is GSSAPI (specifically Kerberos) authenticated.
 
> Example :  email to ang...@uconn.edu goes to O365 and then O365 will forward 
> to smtp.uconn.edu [which relays back to O365] due to my mailbox being 
> angelo.fazz...@uconn.edu . If you send directly to angelo.fazz...@uconn.edu 
> O365 delivers to mailbox without having to forward the email.

This is multi-hop relaying on the inbound phase of message delivery, and
requires nothing fancy, just some address rewriting and routing.

-- 
        Viktor.























					Reply via email to