On 24/12/22 16:51, Samer Afach wrote:
(and if you're wondering why port 25's encryption is `may` in main.cf, it's because I still don't know how to get fetchmail to deliver emails without that... another issue to be solved).
Fetchmail should not be delivering to port 25 as port 25 should be for inbound MX connections from other MTAs only. These connections, by necessity, can't authenticate with SASL (because there's no way that other ESPs such as gmail or outlook can know the username and password that you would set for them on your server, nor can you possibly set up usernames and passwords for every MTA on the internet). Trying to mix this type of traffic with traffic that is really meant for submission (port 587) or submissions (port 465) or other types of injection (pick another port of your choice) can end up causing a mess and will simply not work at all with certain utilities such as postscreen. At the end of the day one type of traffic requires very strict authentication but very few anti-spam measures and can relay, and the other requires minimal authentication and strict anti-spam and should not be allowed to relay. Don't mix these, and don't use port 25 for stuff that it's not supposed to be used for and your life will be much easier.
2. It's been too long and I'm too afraid to ask (Chris Pratt meme goes here): Is smtp strictly for outgoing connections, no matter what port, and smtpd for incoming connections, no matter what port?
smtp_* settings are for postfix's smtp(8) client which makes connections to other smtp services. smtpd_* settings are for postfix's smtp service which is listed in master.cf and listens for inbound connections on a tcp or unix port for incoming traffic.
Btw, just a note since you mentioned it, while using one file for keys + certificates has an advantage, I have to say that letsencrypt really annoys me that it doesn't do that automatically. I have a to run cron jobs to recreate this for HAProxy... because HAProxy only accepts one file with everything in it. Your comment explained to me why HAProxy enforces this, but doesn't explain why letsencrypt cannot add a `cat` call after recreating the certificates.
This is off-topic for this list, but it will depend on your AJAX client, though most (if not all) have the capability to run arbitrary commands after they create a new certificate, so a separate cron job should not be necessary.
Peter
