Am 08.12.2011 21:49, schrieb Grant: >>>> 25 is used by your MTA to receive *incoming* messages from other >>>> administrative domains (organizations). >>> >>> Port 25 is never used to submit outbound messages? If not, I'm >>> confused as to why Squirrelmail describes its "SMTP Port" setting this >>> way: >>> >>> This is the port to connect to for SMTP. Usually 25. >> >> It *was* used to submit outbound messages, but this has proven susceptible >> to open-relay exploits, etc. >> >> You're really better off using 587 exclusively. > > Is it alright to send on port 25 from Squirrelmail when it's on the > same machine as postfix? That way I can make 587 require TLS and > authentication but not require that local Squirrelmail encrypt or > authenticate.
jesus christ it is YOUR decision as you are maintain both parts so if 127.0.0.1 is in mynetworks it can be used without restrictions and if you decide to open "10030" on localhost for Squirrelmail do it this is an example to allow only a spamfirewall with no restirctions submit messages on port 10026, usually you act the same way for amavis 10.0.0.15:10026 inet n - n - - smtpd -o mynetworks=10.0.0.20 -o smtpd_client_connection_count_limit=75 -o smtpd_recipient_restrictions=permit_mynetworks, reject -o receive_override_options=no_header_body_checks,no_milters -o local_header_rewrite_clients= -o sender_dependent_relayhost_maps= -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_helo_required=no -o smtpd_sender_restrictions= -o smtpd_sender_login_maps= -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_rate_limit=0 -o smtpd_peername_lookup=no -o smtpd_use_tls=no -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no -o smtpd_reject_footer= -o max_idle=1h -o max_use=1000 > Also, should I have some sort of config that prevents the port 25 > open-relay exploit you mentioned? reject any try to send messages from outside mynetworks to foreign domains this is mandatory on any mailserver smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender permit_sasl_authenticated reject_unauth_destination reject_unknown_sender_domain reject_unknown_recipient_domain reject_invalid_hostname reject_unknown_reverse_client_hostname reject_unauth_pipelining
signature.asc
Description: OpenPGP digital signature
