Hello, I have mail_version = 2.8.3 on CentOS 5.7 (x86_64).
Everything is running OK; the server only accepts local or authorized (using STARTTLS) connections, as there is another mail gateway receiving/filtering and delivering locally to this one.
STARTTLS is configured and works fine. In /etc/services there is: submission 587/tcp msa # mail message submission submission 587/udp msa # mail message submissionIn order to *also* offer to our clients TLS/SSL (on port 587) - in case there are some not supporting STARTTLS:
*Question 1:* Is it enough to uncomment (in /etc/postfix/master.cf): #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject ... and open port 587 on the firewall? *Question 2:*If I don't use the -o smtpd_client_restrictions option, then smtpd_client_restrictions from main.cf apply, or I must configure them explicitly here?
And: *Question 3: *Just to make sure! The above change (addition) should leave current behavior on port 25 unaltered? Please confirm!
Thanks very much, Nick For reference, follows the config: # postconf -n (real DNS names and networks modified):alias_database = hash:/etc/postfix/aliases, hash:/etc/postfix/aliases.d/virtual_aliases
alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 delay_logging_resolution_limit = 3 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4, ipv6 local_header_rewrite_clients = static:all mail_owner = postfix mailbox_command = /usr/lib/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 41943040 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = example.com myhostname = smtp.example.com mynetworks = 10.10.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix parent_domain_matches_subdomains = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap relay_domains = $mydestination sample_directory = /usr/share/doc/postfix-2.3.3/samples sender_canonical_maps = hash:/etc/postfix/domainsendermap sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdropsmtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
smtpd_delay_reject = yessmtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations, permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination, reject_unknown_recipient_domain,reject_unverified_recipient
smtpd_restriction_classes = allowed_list1 smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/pki/tls/certs/chain-180.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/cert-180.pem smtpd_tls_key_file = /etc/pki/tls/private/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550virtual_alias_maps = hash:/etc/postfix/aliases, hash:/etc/postfix/aliases.d/virtual_aliases, ldap:/etc/postfix/ldap-alias-vacation.cf, ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500 virtual_mailbox_base = /home/vmail/ virtual_mailbox_domains = $mydomain, tech.$mydomain, admin.$mydomain virtual_mailbox_limit = 0 virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf virtual_transport = dovecot virtual_uid_maps = static:500
smime.p7s
Description: S/MIME Cryptographic Signature
