On Jan 8, 2009, at 6:53 AM, Jorey Bump wrote:
Jeff Weinberger wrote, at 01/08/2009 09:27 AM:
Setting smtpd_sasl_auth_enable = no would mean that no
authentication is
required on port 25, but if I understand it correctly, it wouldn't
actually stop an authenticated user from sending mail through port
25.
If they tried to authenticate on port 25 with
smtpd_sasl_auth_enable =
no, would postfix refuse the connection?
Actually, smtpd_sasl_auth_enable = no means that authentication is not
enabled. IOW, Postfix won't offer 250-AUTH [mech list] after HELO/
EHLO.
Attempts to authenticate will generate an error. Most modern clients
are
intelligent enough to detect the absence of AUTH and will not
attempt to
authenticate. Good ones will abort and notify the user. Bad ones might
attempt to continue, in case the server will still accept the message.
If the domain is a destination your server handles, it will probably
accept the message, otherwise it will reject it.
In the final step of my scenario, that's the behavior I want to
achieve.
Will that simple step work?
Yes. You can completely disable submission on port 25 and prevent
relaying to destinations you don't accept by hosts outside of
mynetworks.
Thank you an thank you to Chris for your help on this! I just have
two, maybe obvious questions....if I may;
I noticed that on several occasions, and in the default master.cf:
-o milter_macro_daemon_name=ORIGINATING
is suggested for the submission service. I'm not familiar with Milters
and can't find information on what this is or what this does (at least
in my search of the docs). Can you offer any pointers to where I can
learn more specifics about milter macro daemons and this specific one?
Also you noted:
In the final step of my scenario, that's the behavior I want to
achieve.
Will that simple step work?
Yes. You can completely disable submission on port 25 and prevent
relaying to destinations you don't accept by hosts outside of
mynetworks.
Does smtpd_sasl_auth_enable = no completely disable submission and
prevent relaying for hosts I don't accept? or is there more I have to
make sure I do?
thank you again!
--Jeff
