> On Aug 21, 2018, at 1:31 PM, Fongaboo <post...@fongaboo.com> wrote:
>
> Very good. As long as 'permit_sasl_authenticated' is way at the top of the
> list, this should do that?
This is mostly the wrong question. You might for example want to use
"postscreen" at some point, which does not do SASL.
Instead of whitelisting your way around the RBLs, use a dedicated
submission service which never uses RBLs, but *requires* TLS and
client authentication. In that context, "permit_sasl_authenticated"
is not so much "at the top" as the entirety of the access control:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# --------------------------------
-o milter_macro_daemon_name=ORIGINATING
--
Viktor.
