> So you should change 'client' to 'recipient' in master.cf before you > remove the 'permit_sasl_authenticated' in main.cf. > > At that point, SquirrelMail (or anything else) won't be able to send > mail unless it authenticates on port 587, sends to one of your domains > on port 25, or is in $mynetworks and sends on port 25. > > The path of least resistance is probably to add the SquirrelMail box to > $mynetworks, and have it send to port 25. If someone can gain control of > the SquirrelMail box, you're screwed mail-wise anyway, so I don't think > you lose any security that way.
Wouldn't it be smarter to just tell SquirrelMail to use port 587 and pass through authentication? This way if the server is compromised or has another exploit there isn't a simple internal email server to send all that spam from. This is exactly what we do for both horde and roundcube.
