* Martin Rabl <[email protected]>:
> Update ... ;-)
>
> Am 16.10.11 22:01, schrieb Martin Rabl:
> >Am 16.10.11 19:53, schrieb starfish:
> >>looks like many people miss smtp-auth. will it be available in SOGo 2 ?
> >SOGo itself delivers into the configured smarthost.
> Ok, when you need another mailserver (than the smarthost), which
> wants SOGo to authenticate itself, there could be a need.
Strictly speaking an SMTP server that accepts messages from SOGo becomes an MSA
(message submission agent). MSAs are special, because messages originiate from
MSAs. Messages enter the mail transfer at the MSA and then relays and border
filters (vulgo: Gateway) transfer it closer to the final destination where it
they are delivered to an MDA.
As an MSA the SMTP server has the special role to ensure the message conforms
to Internet standards (complete envelope addresses etc.) and the MSA must (!)
ensure the message was submitted only by authorized senders.
The RFC for Submission states a client MUST use SMTP AUTH before it authorizes
the client to submit the message and it MAY use TLS (to protect weak AUTH
mechanisms).
I think if SOGo and MTA/MSA are on the same host, it should suffice to create
a dedicated server instance that lets only clients from 127.0.0.1 submit
messages and do the MSA checks at this level. Something like this in Postfix
master.cf will probably do:
127.0.0.1:25 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o
smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.1/32
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o local_header_rewrite_clients=
And yes, if SOGo submits messages to an MSA that isn't on the same host SOGo
should use SMTP AUTH.
> But, in this case IMHO it would be a better setup SOGo to deliver
> Mails to the localhost-mailserver, which is configured to relay to
> the mailserver with the smtp-auth-need.
> Easy setup ...
> http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
>
> (Thank you, Patrick)
Glad it is still of help. :)
p@rick
--
state of mind ()
http://www.state-of-mind.de
Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
--
[email protected]
https://inverse.ca/sogo/lists
