> On Jun 28, 2016, at 2:11 AM, Rob Maidment wrote:
>
> Filtering out the STARTTLS option can be achieved using
> smtpd_discard_ehlo_keyword_address_maps as described above.
> The smtpd_tls_security_level parameter must be set to "may" rather
> than "encrypt" if there are any profiles where TLS i
I think I finally have a solution - thanks to Wietse and Viktor. To
recap I am replacing Sendmail with Postfix in a legacy application and
I was struggling with these two requirements:
1. The server must authenticate clients differently depending on a
"client connection profile"; the profile can
On Fri, Jun 24, 2016 at 04:10:40PM +0100, Rob Maidment wrote:
> I could set smtpd_tls_security_level to "may" instead and then verify
> that TLS has been used where it is required (e.g. using a policy
> service), however that means Postfix will not validate the client
> certificate right? (because
On 24 June 2016 at 14:59, Wietse Venema wrote:
>> I need to ensure TLS is used (and client certificates are verified)
>> for some clients but not offered to others. What happens if I use
>> smtpd_discard_ehlo_keyword_address_maps to strip the STARTTLS keyword
>> but smtpd_tls_security_level is se
Rob Maidment:
> On 23 June 2016 at 18:05, Wietse Venema wrote:
> > I don't see that happen.
> >
> > I don't think that postscreen is viable if it has to wait for DNS
> > lookup with EVERY SMTP CONNECTION.
>
> Ok I understand, but it wouldn't be on every connection, only the ones
> postscreen deci
On 23 June 2016 at 18:05, Wietse Venema wrote:
> I don't see that happen.
>
> I don't think that postscreen is viable if it has to wait for DNS
> lookup with EVERY SMTP CONNECTION.
Ok I understand, but it wouldn't be on every connection, only the ones
postscreen decided to pass through. And once
Rob Maidment:
> > In master.cf:
> >
> > smtp inet . . . . . postscreen -o smtpd_service_name=blah
> > blah pass . . . . . smtpd
> >
> > See postscreen(8) and postconf(5) manpages for details.
> >
> > Wietse
>
> Thanks, I don't know how I didn't spot that.
>
> Do you think it's fe
> In master.cf:
>
> smtp inet . . . . . postscreen -o smtpd_service_name=blah
> blah pass . . . . . smtpd
>
> See postscreen(8) and postconf(5) manpages for details.
>
> Wietse
Thanks, I don't know how I didn't spot that.
Do you think it's feasible to enhance postscreen to hand o
On Wed, Jun 22, 2016 at 07:17:03AM -0400, Wietse Venema wrote:
Typo here:
> In master.cf:
>
> smtpd inet . . . . . postscreen -o smtpd_service_name=blah
..^
This should be "smtp", the services(5) name for port 25.
> blah pass . . . . . smtpd
--
http://rob0.nodns4.us/
Offl
Rob Maidment:
> On 1 June 2016 at 15:37, Wietse Venema wrote:
> > postscreen by design allows a "good" client to talk directly to an
> > smtpd process without knowing the sender or recipient. Therefore,
> > you will need two postcreens
>
> So I would require two postscreens, and two SMTP servers,
On 1 June 2016 at 15:37, Wietse Venema wrote:
> postscreen by design allows a "good" client to talk directly to an
> smtpd process without knowing the sender or recipient. Therefore,
> you will need two postcreens
So I would require two postscreens, and two SMTP servers, with each
postscreen hand
Rob Maidment:
> On 31 May 2016 at 17:21, Viktor Dukhovni wrote:
> >
> > The Dovecot SASL backend has access to the client's IP address,
> > but I don't know whether it sees that early enough to supply Postfix
> > with a client-dependent mechanism list, nor whether Dovecot has the
> > feature you'r
On 31 May 2016 at 17:21, Viktor Dukhovni wrote:
>
> The Dovecot SASL backend has access to the client's IP address,
> but I don't know whether it sees that early enough to supply Postfix
> with a client-dependent mechanism list, nor whether Dovecot has the
> feature you're looking for.
The Cyrus
Rob Maidment:
> On 31 May 2016 at 17:32, Sebastian Nielsen wrote:
> > You would need to use a firewall for this.
>
> That's an interesting idea. I was considering deploying postscreen -
> could postscreen do the splitting instead of the firewall? If not then
> I guess I would need multiple posts
On 31 May 2016 at 17:32, Sebastian Nielsen wrote:
> You would need to use a firewall for this.
That's an interesting idea. I was considering deploying postscreen -
could postscreen do the splitting instead of the firewall? If not then
I guess I would need multiple postscreen instances talking to
16 18:05
Till: Postfix users
Ämne: Different SMTP AUTH options and credentials for different clients
How can I implement this in the Postfix SMTP server?
For certain client IP addresses no authentication is required and the EHLO
response should not advertise the AUTH option.
For a second s
On Tue, May 31, 2016 at 05:04:33PM +0100, Rob Maidment wrote:
> How can I implement this in the Postfix SMTP server?
>
> For certain client IP addresses no authentication is required and the
> EHLO response should not advertise the AUTH option.
smtpd_discard_ehlo_keyword_address_maps (au
How can I implement this in the Postfix SMTP server?
For certain client IP addresses no authentication is required and the
EHLO response should not advertise the AUTH option.
For a second set of client IP addresses authentication is required and
the EHLO response should advertise AUTH PLAIN.
For
18 matches
Mail list logo
