On Apr 13, 2013, at 16.03, Russell Jones <russ...@jonesmail.me> wrote:
> > really, neither of permit_mynetworks nor permit_sasl_authenticated belong > > in any global restrictions. > smtp auth [e.g sasl] is for submission clients, which should be using > submission/587, and these days, > > > This is contrary to what is in the docs as an example, however I have port 25 > closed off in master.cf to prevent authentication anyway. 587 is the only > port I permit authenticated relaying against. you offer no service whatsoever on port 25? postfix is not listening on that port? if that's truly the case, then, to be pedantic, you're running an msa, not an mta, in which case you could argue that is an exception to the rule, and such global settings wouldn't necessarily be discouraged. > smtpd -o smtpd_sasl_auth_enable=no i'm confused. if you are still listening on port 25, and have set an override in master.cf to disable sasl, then there is no reason for including the aforementioned restrictions in the global restrictions anyway. by leaving them in there, all you're doing is unnecessarily increasing the risk, should somehow, for some unexpected reason, sasl be enabled [yes, stranger things have happened, even to reasonably responsible admins]. also, i'd note that from a security perspective, that approach is backwards. globally, smtpd_sasl_auth_enable should be off, and only enabled for the specific services in master.cf which require it. -ben