LuKreme wrote, On 3/13/09 11:53 AM:
On 13-Mar-2009, at 09:04, Jorey Bump wrote:
For the people still supporting the antiquated model of accepting mail
submission via SMTP rather than a proper port 587 daemon, it is
important to make allowances for the fact that MUA's frequently have no
better choice for their HELO argument than an IP literal, and sometimes
even that is pretty lousy (i.e. an ephemeral RFC1918 private IP)
MUA HELOs are problematic in many ways. But you're absolutely right,
this is best handled by delaying this sort of check_helo_access until
smtpd_recipient_restrictions, after permit_mynetworks &
permit_sasl_authenticated, if you support submission on SMTP port 25 on
an MX server.
OK, this piqued my interest. I have 587 setup, and I also have a couple
of alternate ports in the 1025+ range to deal with any users unlucky
enough to be behind draconian ISPs, but I do still accept mail on port
25. In fact, I wasn't even aware that you could force users to use the
submission port.
Where's the read me on configuring master.cf for this, as I think it
might be worth looking at.
If you have a good port 587 config in master.cf, you may need no changes
there. My submission entry for a server that accepts no port 25 submission
from outside the LAN is:
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submit
-o smtpd_milters=
(If your main.cf doesn't define smtpd_milters, the last line is unnecessary)
Forcing users into submission (or however you want to phrase that...) is
really a main.cf issue, and depending on your network and users it may be
more a matter of encouragement than force. Any measure you have in place in
main.cf smtpd_*_restrictions entries solely in order to permit your users'
initial submissions should be removed from there and instead be in the
smtpd_*_restrictions definitions in the submission entry in master.cf.
The generalized rule is that main.cf defines a baseline set of definitions,
while the -o entries in the master.cf entry for a service replaces
definitions as needed. For example, I define my smtpd_sasl_* settings in
main.cf because that way they don't clutter master.cf, and without
permit_sasl_authenticated in main.cf, those settings are operationally
irrelevant to the port 25 smtpd.