> On Jun 2, 2019, at 2:38 PM, Bill Cole
> <postfixlists-070...@billmail.scconsult.com> wrote:
>
>> smtps inet n - n - - smtpd
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_tls_wrappermode=yes
>> -o syslog_name=submit/smtps
>> -o smtpd_sasl_type=dovecot
>> -o smtpd_sasl_security_options=noanonymous
>> -o smtpd_sasl_path=private/auth
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> -o
>> smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
>> -o
>> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
>> -o smtpd_helo_restrictions=
>> -o smtpd_data_restrictions=
>>
>> I am not sure I need smtpd_client_restrictions or
>> smtpd_sasl_security_options at all?
>
> You should keep smtpd_sasl_security_options=noanonymous' to block anonymous
> SASL mechanisms.
> You do not need smtpd_client_restrictions=permit_sasl_authenticated,reject'
> because you have 'permit_sasl_authenticated,*,reject' in restriction lists
> that are evaluated later.
Yes, but an empty override is still an important part of isolating
this from unwanted interaction with restriction changes for port 25
made in main.cf. The recipient restrictions can also be left empty,
since relay restrictions already take care of the rest.
The relay_restrictions can be simplified to:
smtpd_relay_restrictions=permit_sasl_authenticated,reject
The "reject_unauth_destination" is redundant.
--
Viktor.
