Jeff Weinberger a écrit : > Hi: > > Based on good practice and the help and urging of some of the gurus on this > list, I am moving my users to using the submission service (port 587) > instead of port 25 to send mail from their mail clients. > > Once most of them move, I'd like to start warning the ones who don't that > they should (ok, maybe just bugging them). But then I was thinking I might > eventually want to require that they use port 587. > > My question is really two-fold: > > 1) using the controls in postfix, is it possible to prevent authenticated > users from using port 25 to submit mail? Is there a construct that would do > that without interfering with incoming mail from anywhere? >
You are certainly using permit_sasl_authenticated. so to prevent auth on port 25, simply remove this check from smtpd_recipient_restrictions. > 2) even if it's possible, it is advisable (I know no one is shy about > offering opinions here, and I hope if you have one, you'll voice it :) )? > There are benefits in separating MX and submission functions, either by using different ports (recommended) or by using a different IP. for example, you can use different header_checks and body_checks. you can block some IPs/networks on 25 but still allow your users to come from these IPs... you avoid having to implement "exceptions" in your smtpd restrictions... etc. It is also hoped that future versions of MUAs will be "support" port 587 (they could try to see if it is available and propose it as the default port, ... etc). All that said, you don't need to go that road too quickly. Many users have no idea what you tell them (I've seen that with software developpers).
