On 12/2/21 3:14 pm, Viktor Dukhovni wrote:
Hi, I have a fairly typical postfix install with port 465 requiring
authentication. I'd like to allow one sender (email address or IP) to
inject email on port 465 without providing login/password authentication.
The port number and TLS encryption are irrelevant here, all that
matters, is that "restrictions" you configure for the SMTP service
in question. [...]
Thank you Viktor. A week of agonizing google searches and testing came down
to something so simple. I actually put all this in main.cf to accept unauth
messages from a nominated remote postfix server...
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
mua_relay_restrictions = permit_sasl_authenticated
check_client_access cidr:/etc/postfix/mua-client.cidr reject
smtpd_relay_restrictions = $mua_relay_restrictions
~ cat mua-client.cidr
12.34.56.78/32 OK
And then used this to push messages TO that server which has a reciprocal
setup...
transport_maps = lmdb:/etc/postfix/transport
~ cat transport
remote.domain smtp:[78.56.34.12]:465
The reason for wanting this setup is that I've started using delta.chat
with a few friends and I want to maximize the speed between our mailservers
and also try to minimize the size of the messages to sometimes <1500 bytes.
FWIW disabling DKIM seems to make the biggest difference...
~ grep DontSignMailTo /etc/opendkim.conf
DontSignMailTo user1@remote.domain, user2@remote.domain
and why not SPF while we're at it...
~ cat sender_checks (.lmdb)
remote.domain OK
Is there any other magic I could use in this peer-to-peer scenario to reduce
the number of unnecessary headers during transit on a per domain basis?
