On Jan 8, 2009, at 5:49 AM, Jorey Bump wrote:
Jeff Weinberger wrote, at 01/08/2009 12:10 AM:
Hi:
Based on good practice and the help and urging of some of the gurus
on this
list, I am moving my users to using the submission service (port 587)
instead of port 25 to send mail from their mail clients.
Once most of them move, I'd like to start warning the ones who
don't that
they should (ok, maybe just bugging them). But then I was thinking
I might
eventually want to require that they use port 587.
My question is really two-fold:
1) using the controls in postfix, is it possible to prevent
authenticated
users from using port 25 to submit mail? Is there a construct that
would do
that without interfering with incoming mail from anywhere?
Yes, you can simply set smtpd_sasl_auth_enable = no (which is the
default, so you could also remove the line, but being explicit might
be
more helpful in this case). You can also remove
permit_sasl_authenticated from smtpd_*_restrictions, but it might be
wise to leave it in place for the time being (it shouldn't cause any
problems). Your submission service in master.cf should already have -o
smtpd_sasl_auth_enable=yes in it.
Keep in mind, however, that some users will still be able to use
port 25
to send messages to domains that the server accepts mail for. To them,
it may seem that relaying works inconsistently.
2) even if it's possible, it is advisable (I know no one is shy about
offering opinions here, and I hope if you have one, you'll voice
it :) )?
The decision to restrict mail submission to port 587 depends on your
needs. I manage some environments where this is enforced. I actually
like the separation, but it sometimes requires additional support for
legacy clients (achieved in various ways).
In other environments with a more diverse and general population, I
continue to allow submission on port 25, but only with mechanisms that
are considered secure. You'll probably want to begin with this
arrangement, as you are suggesting. It's kinder to your users, if
you're
not in any rush. The important thing is that you're opening port 587
(with sane settings) to support road warriors and users whose ISPs
block
outgoing connections to port 25. This move benefits them as much (if
not
more) as you.
Thank you for your help and insight.!!
I'm glad to hear that this is a fairly common option and one that can
be supported, even if with some hoop-jumping.
As far as how to make it happen...
Setting smtpd_sasl_auth_enable = no would mean that no authentication
is required on port 25, but if I understand it correctly, it wouldn't
actually stop an authenticated user from sending mail through port 25.
If they tried to authenticate on port 25 with smtpd_sasl_auth_enable =
no, would postfix refuse the connection?
In the final step of my scenario, that's the behavior I want to
achieve. Will that simple step work?
Thanks!
--Jeff
