On 10/09/12 17:38, Gilles Chehade wrote:
On Tue, Oct 09, 2012 at 09:29:25AM -0600, Bob Beck wrote:
On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade <[email protected]> wrote:
I agree with you that people will probably not want port 587 without auth
turned on so on a practical point of view, we could make it implicit.
There's a syntax issue though because, users will likely be less surprised by:
listen on bnx0 port submission [...] tls-require
listen on bnx0 [...] tls-require
than:
listen on bnx0 port submission [...] # implicit tls-require
listen on bnx0 [...] # not here though
If there's no "require" for auth, just "auth" - then there's really no
confusion I think
And there is a real normal use case for opportunistic (as opposed to
required) TLS.
I don't think there is one for auth on port 587.
I.E. I think tls and tls-require make sense to have differentiated.
I'm not sure it makes sense to have "auth" and "auth-required" - I
think "auth" should just mean it's required.
Oh I get it but see my conf for instance:
listen on bnx0 [...] auth
accept from all for domain "opensmtpd.org" deliver to maildir
accept for all relay
Now keep in mind that the relay rule here can only be matched by a
local or authenticated user.
The distinction between auth and auth-require allows me to make auth
optional so that random people can mail @opensmtpd.org but so that
only eric, chl or I can relay mail elsewhere from that box.
Now with:
listen on bnx0 [...] auth-require
accept from all for domain "opensmtpd.org" deliver to maildir
accept for all relay
people would need to auth on the server to be able to mail us.
I think Bob's point is that then you use 587 (with auth) for yourselves
and 25 (without auth) for mail from the rest of the intertubes.
