Scott Haneda wrote, at 04/24/2009 07:58 AM: > I am a little confused about main.cf and master.cf. Is there overlap in > some of the settings? Do some settings exist in both files, or at least > are interchangable? If this is the case, under what conditions do you > decide to do so?
>From master(5) [http://www.postfix.org/master.5.html]: -o name=value Override the named main.cf configuration parameter. The parameter value can refer to other parameters as $name etc., just like in main.cf. See postconf(5) for syntax. As implied, it's useful when you need to override the settings in main.cf to get different behaviour appropriate to the service you're setting up in master.cf (submission, reinjection from proxy/filter, etc.). > I successfully sent emails through this system as unauthenticated, > authenticated, with tls, and with ssl. This is a migration, and I would > like to have minimal email client settings needing change. My old > server did not have SSL or TLS. > > Old Server: > No SSL, No TLS > port 25 = normal inbound, plus smtp auth'd users > port 587 = forced auth'd users > > I am willing to disallow user connection to port 25. How do I do this? > In main.cf or master.cf? Right now, I believe I only have this: > [snip... master.cf ] > smtp inet n - n - - smtpd > I believe I need to add a restriction in there to stop clients from > connecting? There was a recent thread on this subject, worth reading: http://www.mail-archive.com/postfix-users@postfix.org/msg06230.html > For port 587 submission, I want to offer SSL, TLS, and non encrypted to > cover the users who will not want to change their settings. I can not > seem to get this to work, it is either no encryption, or forced encryption. > > [snip... master.cf ] > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated > -o milter_macro_daemon_name=ORIGINATING Use: -o smtpd_tls_security_level=may -o smtpd_tls_auth_only=no I think it's normally a bad idea not to enforce TLS on the submission port, but if you're using a secure mechanism and want to prevent weaker ones, add: -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous > * Do I even need the milter line? Good question. It may depend on whether or not you use milters. I don't, but I leave it in because I don't want issues later if I decide to deploy a milter. > Port 465, I believe will be reserved exclusively for SSL? Port 587 does > the TLS, is that correct? Or is the SSL just wrapping around the TLS? > > [snip... master.cf ] > 465 inet n - n - - smtpd > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING This is for legacy support. I suggest you don't activate it until you're sure you need it. Wrapper mode is different from offering STARTTLS. Nearly all modern clients support STARTTLS. If someone absolutely needs port 465, that could be a red flag that the user needs an upgrade. However, some webmail programs might have poor support for STARTTLS, forcing you to enable smtps if you require an encrypted connection. > In Apple Mail, there are auth options of ntlm, md5 Challenge-Reponse, > Kerberos, and Password. In Thunderbird I notices there are no such > options. Which are used in Thunderbird? What is the best to use, or is > it only applicable if you are choosing to not use SSL/TLS? Thunderbird has a "Use secure authentication" checkbox that supports multiple mechanisms (independent of SSL/TLS). Unfortunately, *it* decides which one to use, which I find very frustrating. I'm happy for mail clients to select the best mechanisms available for easy autoconfiguration, but it would be nice to have the ability to set them explicitly (for troubleshooting or security reasons). In any case, it's good practice to check this box if the server supports secure mechanisms, for a little extra protection beyond SSL/TLS. > I have been pretty up and down the docs, this is somehow not making a > lot of sense. I think once I understand what crosses over in config > from main.cf and master.cf, it will make more sense. > > postconf -n > smtp_tls_cert_file = /opt/local/etc/ssl/certs/dovecot.pem > smtp_tls_key_file = /opt/local/etc/ssl/private/dovecot.pem If you're not using client certificate authentication (and you probably aren't), delete those lines. > smtp_tls_security_level = may This is good. > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_unauth_destination permit You can remove permit_sasl_authenticated from here if you don't want to offer authenticated submission on port 25... > smtpd_sasl_auth_enable = yes ...and change this to no (or remove the line, as no is the default). > smtpd_sasl_authenticated_header = yes > smtpd_sasl_exceptions_networks = $mynetworks > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_type = dovecot I'd probably leave these in main.cf, just to keep master.cf simple, but it's your choice. Also, you can probably drop smtpd_sasl_exceptions_networks, as it won't make sense if you disable SMTP AUTH on port 25 and require authentication on port 587.
