LuKreme wrote:
On 13-Mar-2009, at 09:04, Jorey Bump wrote:
For the people still supporting the antiquated model of accepting mail
submission via SMTP rather than a proper port 587 daemon, it is
important to make allowances for the fact that MUA's frequently have no
better choice for their HELO argument than an IP literal, and sometimes
even that is pretty lousy (i.e. an ephemeral RFC1918 private IP)
MUA HELOs are problematic in many ways. But you're absolutely right,
this is best handled by delaying this sort of check_helo_access until
smtpd_recipient_restrictions, after permit_mynetworks &
permit_sasl_authenticated, if you support submission on SMTP port 25 on
an MX server.
OK, this piqued my interest. I have 587 setup, and I also have a couple
of alternate ports in the 1025+ range to deal with any users unlucky
enough to be behind draconian ISPs, but I do still accept mail on port
25. In fact, I wasn't even aware that you could force users to use the
submission port.
You can't "prevent" them from connecting to port 25, but you
can make it less useful by not allowing them to relay.
Or you can be really draconian and reject your own domain as
sender from unauthenticated/unauthorized clients.
It's then usually enough to point them to a web page with
instructions. usually...
I don't know if I would go so far as to say this is a
recommended setup, but it since it cleanly separates your
traffic it makes applying separate policies (ie. spam/virus
controls, DKIM, logs, whatever) to authenticated users easier.
Where's the read me on configuring master.cf for this, as I think it
might be worth looking at.
No specific readme on this, just configure the existing
restrictions to do what you want. Maybe this helps a little
bit: http://www.postfix.org/master.5.html
Just remove permit_sasl_authenticated from the port 25
listener (and maybe restrict mynetworks to only clients that
can't authenticate). This is usually done by removing
permit_sasl_authenticated from main.cf and adding -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
(and maybe other options such as syslog_name) to the master.cf
submission listener.
-- Noel Jones