On Wed, Jan 12, 2022 at 10:43:11AM -0500, Wietse Venema wrote:
> Wietse:
> > I think it is a mistake to enforce Spamhaus for clients that connect
> > to port 578. Clients on port 25 must authenticate.
> 
> Ruben Safir:
> > I agree, but I don't know how to control rules for 587?
> > How do I tell it to  do something only on port 587?
> 
> In the stock master.cf file:
> 
> #submission inet n       -       n       -       -       smtpd
> #  -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_tls_auth_only=yes
> #  -o smtpd_reject_unlisted_recipient=no
> #     Instead of specifying complex smtpd_<xxx>_restrictions here,
> #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
> #     here, and specify mua_<xxx>_restrictions in main.cf (where
> #     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
> #  -o smtpd_client_restrictions=
> #  -o smtpd_helo_restrictions=
> #  -o smtpd_sender_restrictions=
> #  -o smtpd_relay_restrictions=
> #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> 
> Once the "#" is removed, the smtpd restrictions are:
> 
> submission inet n       -       n       -       -       smtpd
>   ...
>   -o smtpd_client_restrictions=
>   -o smtpd_helo_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_relay_restrictions=
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   ...
> 


UNDER main.cf I have this:

smtpd_data_restrictions = reject_unauth_pipelining, permit

############################################################
# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
#smtpd_tls_CApath = 
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_delay_reject = yes
smtpd_banner = $myhostname ESMTP

I don't see sasl on telnet

www2:/etc/postfix # telnet www2.mrbrklyn.com 587
Trying 96.57.23.82...
Connected to www2.mrbrklyn.com.
Escape character is '^]'.
220 mrbrklyn.com ESMTP
EHLO client flatbush.mrbrklyn.com
250-mrbrklyn.com
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN



> Note that there are no DNSBL checks on the submission port.
> 
>       Wietse

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Reply via email to