On 2011-07-20 22:15, Peter Tselios wrote:
Well, since I plan to move into the Postfix wagon, from scratch, I
want to learn more about the 587 port submission and the blockage of
port 25 for that. What are the best practices on the matter? Are there
any documents on that? Soren how do you implement it?
See http://www.postfix.org/SASL_README.html#server_sasl to start with.
Also look at http://www.postfix.org/TLS_README.html#server_tls_auth
because this seems to cause issues for many people when first setting up
SASL.
As for submission, the stock master.cf has a commented-out example that
works as is.
Blocking port 25 for submission is a different matter, but you can
enforce (some of) it by adding reject_sender_login_mismatch to your
smtpd_recipient_restrictions, BEFORE permit_mynetworks.
This does two things:
1. it only allows SASL submission with the usernames and sender
addresses specifically configured in smtpd_sender_login_maps, and
2. it specifically *prohibits* submission with any of these
usernames or sender addresses from UNauthenticated connections.
For reference:
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
This way, you can make it impossible for (local network) submissions
over unauthenticated connections to use your configured local domain
sender addresses (and you should reject any addresses not so configured,
in any case).
Of course, if this is the only MTA for your local domain(s), and you're
willing to enforce SASL on all your users, you can simply REJECT all
senders in your local domain(s) on port 25.
However, that is an extreme measure and may run into issues with things
like mailing lists etc.
--
J.
