> > > Is there any security benefits to creating this smart host as a separate > SMTP server? Are there any "best practices" for this kind of situation? >
It depends on your network structure and how much do you trust your new clients. If your client resides directly at your local network (either physical or VPN) you can use "mynetworks" to allow relaying. This is a typical config for SOHO If no, then you should use SASL to auth the client. Be sure to force TLS ( smtpd_tls_auth_only) in this case. You can also enable client certificate verification (see TLS_README) to make the system even more secure. Also, use "smtpd_sender_login_maps" to make sure client uses only allowed "From". But if you want to delegate the management of your clients to someone who doesn't have access to your MTA, then you can install separate "relayhost" for them and give the appropriate person rights to manager authentication, generic, canonical and other things. Some untrusted clients should never send email anywhere except one/two well-known addresses. This could be done with regex-based virtual(5), and it could be convenient to configure it on the separate server not to pollute your MTA. There are some "dumb" SMTP clients that can't use SMTP AUTH nor TLS. If you want such client to be connected to your MTA via the public Internet, then you have to install "relayhost" for it Tell us more about the problem you are trying to solve. >
