Re: non-alpha HELO

Fri, 13 Mar 2009 09:50:44 -0700 

LuKreme wrote, On 3/13/09 11:53 AM:

On 13-Mar-2009, at 09:04, Jorey Bump wrote:

For the people still supporting the antiquated model of accepting mail
submission via SMTP rather than a proper port 587 daemon, it is
important to  make allowances for the fact that MUA's frequently have no
better choice for their HELO argument than an IP literal, and sometimes
even that is pretty lousy (i.e. an ephemeral RFC1918 private IP)


MUA HELOs are problematic in many ways. But you're absolutely right,
this is best handled by delaying this sort of check_helo_access until
smtpd_recipient_restrictions, after permit_mynetworks &
permit_sasl_authenticated, if you support submission on SMTP port 25 on
an MX server.



OK, this piqued my interest.  I have 587 setup, and I also have a couple 
of alternate ports in the 1025+ range to deal with any users unlucky 
enough to be behind draconian ISPs, but I do still accept mail on port 
25.  In fact, I wasn't even aware that you could force users to use the 
submission port.



Where's the read me on configuring master.cf for this, as I think it 
might be worth looking at.



If you have a good port 587 config in master.cf, you may need no changes 
there. My submission entry for a server that accepts no port 25 submission 
from outside the LAN is:


submission      inet    n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o syslog_name=postfix/submit
  -o smtpd_milters=

(If your main.cf doesn't define smtpd_milters, the last line is unnecessary)


Forcing users into submission (or however you want to phrase that...) is 
really a main.cf issue, and depending on your network and users it may be 
more a matter of encouragement than force. Any measure you have in place in 
main.cf smtpd_*_restrictions entries solely in order to permit your users' 
initial submissions should be removed from there and instead be in the 
smtpd_*_restrictions definitions in the submission entry in master.cf.



The generalized rule is that main.cf defines a baseline set of definitions, 
while the -o entries in the master.cf entry for a service replaces 
definitions as needed. For example, I define my smtpd_sasl_* settings in 
main.cf because that way they don't clutter master.cf, and without 
permit_sasl_authenticated in main.cf, those settings are operationally 
irrelevant to the port 25 smtpd.





















					Reply via email to