On Wed, Nov 24, 2010 at 05:33:31PM -0500, chris guirl wrote:
> > You also don't specify whether your server is an MSA only, or also an
> > MX host.
>
> It appears the problem is more complicated than I previously thought.
> I think I am misunderstanding the intent of some of these security
> measures. My goals are simply to responsibly run an MX host that will
> not be abused by spammers and subsequently blacklisted. I was working
> with the preconceived notion that anonymous SMTP is always bad and
> should be disabled to prevent running an open relay; I see now that
> this is inaccurate and I'm reassessing my plans accordingly.
If you are running an MX host, you cannot mandate TLS, since most sending
sites will not support that. You should however mandate TLS for submission
clients (MUAs connecting to you to submit mail for delivery). You really
should use port 587 for submission if possible, so that you are not
trying to handle the kitchen sink on port 25.
> > Postfix can't offer SASL mechanisms that Dovecot is not configured to
> > use. Other than that, you configure Postfix policy in Postfix.
>
> OK, that is what I suspected, and it makes sense, thanks.
>
> >> smtpd_tls_auth_only = yes
> >
> > With this SASL AUTH will NOT be available without TLS.
>
> So, this setting doesn't *require* TLS for SASL authentication, it
> *disables* SASL for non-TLS traffic. Is that accurate?
There is no logical difference between the two things you are trying
to contrast. If SASL is disabled without TLS, then TLS is required
for SASL.
not TLS implies not SASL
is equivalent to:
SASL implies TLS
as both are equivalent to:
not SASL OR TLS
--
Viktor.
