On 2021-04-15 03:10, Matus UHLAR - fantomas wrote:
On 14 Apr 2021, at 15:55, (lists) Denis BUCHER
<dbuche...@hsolutions.ch> wrote:
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
On 14.04.21 23:28, @lbutlr wrote:
Seems short.
Not much, maybe only missing wrappermode.
Being pedantic, however, I'd suggest using the IANA and RFC 8314
port name, "submissions", because that's more specific and
correct than "smtps", which name implies that it might be a
substitute port for smtp, 25.
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
The following all properly belong in main.cf, even if this is the
only submission service you're running. But as Matus points out,
typically you'd also offer RFC 6409 submission on 587.
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_path=private/auth
And the following can be implemented with mua_mumble_restrictions
all defined in main.cf; this is the default offered in the
commented smtps and submission commented entries in master.cf as
distributed by Wietse:
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_helo_restrictions=
-o smtpd_data_restrictions=
If any of those mua_*_restrictions are not set you get "". The only
one really required is mua_relay_restrictions, but the default
smtpd_relay_restrictions even avoids that requirement. So the
smtpd_client_restrictions=permit_sasl_authenticated,reject will at
least require all submitting clients to AUTH.
tls_wrappermode=yes is required for smtps to actually work as
expected,
as well as, I believe, sasl_type?
you should better put sasl options to main.cf, unless you are going to
use different SASL types on different ports.
--
http://rob0.nodns4.us/
