On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
> On 04/12/12 20:54, Tomas Macek wrote:
> > Everyone here says me, that MUAs should send their mails through
> > 587. I can't do that without iptables, because all the people
> > here have Outlook Expresses setup with port 25 for sending emails
> > from default configuration.
>
> That's the general advice, yes, but the real issue is to keep your
> submission service separate from your mx service. You can allow
> submission on port 25 and still have it separate from MX if that
> submission service is on a different IP address to your MX.
Absolutely. This is what Tomas needs to do.
> As an example, say that your users currently submit to the host
> mail.example.com, you can change the IP of mail.example.com to
> point to a new IP (on the same server) and set up postfix so that
> it runs a submission service on that IP on port 25. You can then
> point your MX record to a different hostname (mx1.example.com) and
> point that to a second IP address on the same server, postfix can
> then be configured so that port 25 requests to that IP are treated
> as mx requests and not submission. With this setup you get to
> separate your submission from your mx but still don't have to
> require your users to make any changes to their clients.
>
> I would still also set up port 587 on the mail.example.com IP as
> submission as well and try to encourage your users (at least the
> ones you can) to use port 587 from now on.
What I would do, on Linux with IPv4 only, is create the submission
port and use an iptables redirect for the alternate IP address:
# iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
mail.example.com -j REDIRECT --to-port submission
This saves the overhead (system and administrative) of running
another smtpd on [mail.example.com]:25; he can leave his "smtp ...
smtpd" service alone in master.cf.
> Also, if they don't have authentication set up, then you can use
> mynetworks to authenticate them, but you may be better off using a
> check_client_access cidr table instead for better control of this.
That's a tossup, really. mynetworks is a shortcut, and likewise,
saves administrative time and overhead. Just as well would be to use
a cidr_table(5) as mynetworks.
I should also add as a reply to Stan in the other subthread: look
above at the first quoted paragraph: "Outlook Expresses setup with
... default configuration."
Yikes, bad news, very bad. If not doing content filtering nor policy
limitation of submission now, he will be soon. And possibly losing
his job in any case. Tomas is not in a good place right now.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
