Ruben Safir:
> On Wed, Jan 12, 2022 at 10:44:18AM -0500, Wietse Venema wrote:
> > Wietse Venema:
> > > Wietse:
> > > > I think it is a mistake to enforce Spamhaus for clients that connect
> > > > to port 578. Clients on port 25 must authenticate.
> >
> > Sorry, 25 should have been 578.
>
> how to control rules for 587? Is that controlled by the
> submission init n - n - - smtpd
> ??
Use Spamhaus etc. on the "smtp" (port 25) service, and require SASL
authentication on the submission service.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Wietse
