Am 13.03.2012 17:37, schrieb Patrick Ben Koetter: > * Patrick Ben Koetter <postfix-users@postfix.org>: >> * Wietse Venema <postfix-users@postfix.org>: >>> Different sites have different needs, and perhaps it is an idea to >>> provide *multiple* submission service examples in master.cf, all >>> commented out of course. The first could be the recommended one: >>> not allowing plaintext sessions is good as a general rule. The >>> second example could allow plaintext sessions (level = may) but >>> allow plaintext passwords only over encrypted sessions. > > Here are two examples we all seem to agree on. They differ in TLS > (optional/mandatory) and the SASL mechanisms they allow depending on the TLS > context. > > Additionally, both examples have SMTP session filters that check for syntactic > deliverability (MSA job) and add required headers if they are missing. > > Filters and fixing headers is a change I'd propose, but nobody seems to have > commented on yet. Agreed by everyone? > > As a safety net I would change smtpd_client_restrictions into > smtpd_recipient_restrictions. This will give a client sufficient time to > authenticate and permit_sasl_authenticated will work even if an admin changed > the defaults for smtpd_delay_reject. It also makes it possible to filter for > reject_non_fqdn_recipient, which the RFC I quoted says to be a MSA job. > > > # submission example 1: Optional TLS with SASL methods safe to use over an > # unencrypted network > #submission inet n - - - - smtpd > # -o smtpd_tls_security_level=may > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_sasl_security_options=noplaintext,noanonymous > # -o smtpd_tls_sasl_security_options=noanonymous > # -o always_add_missing_headers=yes > # -o > smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING > > > # submission example 2: Mandatory TLS and SASL only over an encrypted network > #submission inet n - - - - smtpd > # -o smtpd_tls_security_level=enforce > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_tls_auth_only=yes > # -o always_add_missing_headers=yes > # -o > smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING >
Hi Patrick, always_add_missing_headers (default: no) Always add (Resent-) From:, To:, Date: or Message-ID: headers when not present. Postfix 2.6 and later add these headers only when clients match the local_header_rewrite_clients parameter setting. Earlier Postfix versions always add these headers; this may break DKIM signatures that cover non-existent headers. are you sure that your example is safe with i.e dkim ? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria