On Wed, Jan 12, 2022 at 10:43:11AM -0500, Wietse Venema wrote: > Wietse: > > I think it is a mistake to enforce Spamhaus for clients that connect > > to port 578. Clients on port 25 must authenticate. > > Ruben Safir: > > I agree, but I don't know how to control rules for 587? > > How do I tell it to do something only on port 587? > > In the stock master.cf file: > > #submission inet n - n - - smtpd > # -o syslog_name=postfix/submission > # -o smtpd_tls_security_level=encrypt > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_tls_auth_only=yes > # -o smtpd_reject_unlisted_recipient=no > # Instead of specifying complex smtpd_<xxx>_restrictions here, > # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" > # here, and specify mua_<xxx>_restrictions in main.cf (where > # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). > # -o smtpd_client_restrictions= > # -o smtpd_helo_restrictions= > # -o smtpd_sender_restrictions= > # -o smtpd_relay_restrictions= > # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING > > Once the "#" is removed, the smtpd restrictions are: > > submission inet n - n - - smtpd > ... > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_relay_restrictions= > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > ... >
UNDER main.cf I have this: smtpd_data_restrictions = reject_unauth_pipelining, permit ############################################################ # SASL stuff ############################################################ smtp_sasl_auth_enable = no smtp_sasl_security_options = smtp_sasl_password_maps = smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem #smtpd_tls_CApath = smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_tls_security_level = may smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_delay_reject = yes smtpd_banner = $myhostname ESMTP I don't see sasl on telnet www2:/etc/postfix # telnet www2.mrbrklyn.com 587 Trying 96.57.23.82... Connected to www2.mrbrklyn.com. Escape character is '^]'. 220 mrbrklyn.com ESMTP EHLO client flatbush.mrbrklyn.com 250-mrbrklyn.com 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN > Note that there are no DNSBL checks on the submission port. > > Wietse -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013