Re: non-alpha HELO

Fri, 13 Mar 2009 09:39:40 -0700 

LuKreme wrote:

On 13-Mar-2009, at 09:04, Jorey Bump wrote:

For the people still supporting the antiquated model of accepting mail
submission via SMTP rather than a proper port 587 daemon, it is
important to  make allowances for the fact that MUA's frequently have no
better choice for their HELO argument than an IP literal, and sometimes
even that is pretty lousy (i.e. an ephemeral RFC1918 private IP)


MUA HELOs are problematic in many ways. But you're absolutely right,
this is best handled by delaying this sort of check_helo_access until
smtpd_recipient_restrictions, after permit_mynetworks &
permit_sasl_authenticated, if you support submission on SMTP port 25 on
an MX server.



OK, this piqued my interest.  I have 587 setup, and I also have a couple 
of alternate ports in the 1025+ range to deal with any users unlucky 
enough to be behind draconian ISPs, but I do still accept mail on port 
25.  In fact, I wasn't even aware that you could force users to use the 
submission port.



You can't "prevent" them from connecting to port 25, but you 
can make it less useful by not allowing them to relay.
Or you can be really draconian and reject your own domain as 
sender from unauthenticated/unauthorized clients.
It's then usually enough to point them to a web page with 
instructions. usually...



I don't know if I would go so far as to say this is a 
recommended setup, but it since it cleanly separates your 
traffic it makes applying separate policies (ie. spam/virus 
controls, DKIM, logs, whatever) to authenticated users easier.



Where's the read me on configuring master.cf for this, as I think it 
might be worth looking at.



No specific readme on this, just configure the existing 
restrictions to do what you want.  Maybe this helps a little 
bit: http://www.postfix.org/master.5.html



Just remove permit_sasl_authenticated from the port 25 
listener (and maybe restrict mynetworks to only clients that 
can't authenticate).  This is usually done by removing 
permit_sasl_authenticated from main.cf and adding -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject 
(and maybe other options such as syslog_name) to the master.cf 
submission listener.


  -- Noel Jones






















					Reply via email to