* Yassine Chaouche:
> [...] this is, effectively, *forcing* authentication to *relay*
> (outbound) mail while still accepting unauthenticated mail as final
> delivery (inbound).
That can be achieved using ports 25 and 587 to give you two distinct
options to attach policies. Start with something like this:
smtpd_mumble_restrictions =
permit_mynetworks
reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unknown_recipient_domain
Note the implicit 'permit' after the rejections. Then, on port 587, use
something like this instead;
submission_mumble_restrictions =
permit_tls_clientcerts
permit_sasl_authenticated
reject
Also add smtpd_tls_security_level=encrypt for that port, and you can
ensure that only authenticated users/machines can submit outbound
messages.
I think that you don't gain anything by trying to avoid using two TCP
ports for two inherently different tasks (don't say "another open port
in the firewall" now, I don't care about that).
-Ralph
