On 1/8/2013 2:48 PM, Titanus Eramius wrote: > Tue, 08 Jan 2013 12:39:58 -0600 skrev Noel Jones
>> Using iptables to separate traffic is a reasonable solution. >> Probably a good idea to add a comment to master.cf documenting what >> you've done. >> >> The more typical way to do this is for local mail to use the >> submission port 587. Sometimes folks redirect port 25 on the local >> network to 587 as a migration aid. >> > > OK, but using submission more or less removes the problem with > SpamAssassin. Thank you for the pointer, I'll be sure to use 587 > for relaying from the users. > > This raises the question (or at least I think it do), if it's > possible to "force" the users onto 587 by denying relay access to 25? > It's certainly possible to prevent relaying via port 25, and many sites do so. The choice is a local policy decision; do what fits your needs best. Typically this is done by giving submission and port 25 different settings via master.cf -o ... overrides. A quick incomplete example: # main.cf mynetworks = 127.0.0.1 submission_mynetworks = 127.0.0.1, 192.168.0.0/16 smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ... anti-spam controls ... submission_smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject # master.cf submission inet n - n - - smtpd -o syslog_name=postfix/submission -o mynetworks=$submission_mynetworks -o smtpd_recipient_restrictions=$submission_smtpd_recipient_restrictions ... more -o overrides ... Common variations are to require sasl AUTH on the submission port by removing permit_mynetworks, and to require TLS with AUTH by using "-o smtpd_tls_auth_only=yes". -- Noel Jones