On Wed, Jan 12, 2022 at 10:43:11AM -0500, Wietse Venema wrote:
> Wietse:
> > I think it is a mistake to enforce Spamhaus for clients that connect
> > to port 578. Clients on port 25 must authenticate.
>
> Ruben Safir:
> > I agree, but I don't know how to control rules for 587?
> > How do I tell it to do something only on port 587?
>
> In the stock master.cf file:
>
> #submission inet n - n - - smtpd
> # -o syslog_name=postfix/submission
> # -o smtpd_tls_security_level=encrypt
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_tls_auth_only=yes
> # -o smtpd_reject_unlisted_recipient=no
> # Instead of specifying complex smtpd_<xxx>_restrictions here,
> # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
> # here, and specify mua_<xxx>_restrictions in main.cf (where
> # "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
> # -o smtpd_client_restrictions=
> # -o smtpd_helo_restrictions=
> # -o smtpd_sender_restrictions=
> # -o smtpd_relay_restrictions=
> # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
>
> Once the "#" is removed, the smtpd restrictions are:
>
> submission inet n - n - - smtpd
> ...
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_relay_restrictions=
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> ...
>
UNDER main.cf I have this:
smtpd_data_restrictions = reject_unauth_pipelining, permit
############################################################
# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
#smtpd_tls_CApath =
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_delay_reject = yes
smtpd_banner = $myhostname ESMTP
I don't see sasl on telnet
www2:/etc/postfix # telnet www2.mrbrklyn.com 587
Trying 96.57.23.82...
Connected to www2.mrbrklyn.com.
Escape character is '^]'.
220 mrbrklyn.com ESMTP
EHLO client flatbush.mrbrklyn.com
250-mrbrklyn.com
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
> Note that there are no DNSBL checks on the submission port.
>
> Wietse
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
