On Apr 13, 2013, at 17.10, Russell Jones <russ...@jonesmail.me> wrote:
>
> On 4/13/2013 3:44 PM, b...@bitrate.net wrote:
>> you offer no service whatsoever on port 25? postfix is not listening on
>> that port? if that's truly the case, then, to be pedantic, you're running
>> an msa, not an mta, in which case you could argue that is an exception to
>> the rule, and such global settings wouldn't necessarily be discouraged.
>
> I do and I am offering SASL services, let me clarify. It might be useful if I
> just include what the line looks like. This isn't what I was asking about in
> my original email, and has been working fine for quite some time, but just
> for clarification on this subject for others reading here's the config:
>
> 1.2.3.4:smtp inet n - n - - smtpd -o
> smtpd_sasl_auth_enable=no -o smtpd_tls_key_file=/etc/postfix/mail.key -o
> smtpd_tls_cert_file=/etc/postfix/mail.crt -o myhostname=mail.server.com
> 1.2.3.4:submission inet n - n - - smtpd -o
> smtpd_sasl_auth_enable=yes -o smtpd_tls_key_file=/etc/postfix/mail.key -o
> smtpd_tls_cert_file=/etc/postfix/mail.crt -o myhostname=mail.server.com
this does offer clarity, yes. in the context of my comments, as long as you do
not set smtpd_sasl_auth_enable in main.cf, it's not strictly necessary to set
smtpd_sasl_auth_enable=no for the smtp service. the compiled in default will
be used. that said, it's not really hurting anything, and could be argued to
be an extra layer of security, lest something weird happen [but let's please
not debate that].
> I want only servers talking to port 25, not clients. Hence why I do not
> permit authentication against the smtp port, only the submission port. Then,
> in the smtpd_relay_restrictions, I permit authenticated clients to relay.
>
>
> > globally, smtpd_sasl_auth_enable should be off, and only enabled for the
> > specific services in master.cf which require it.
>
> It is.
>
>
> > really, neither of permit_mynetworks nor permit_sasl_authenticated belong
> > in any global restrictions.
>
> Still confused as to why permit_sasl_authenticated shouldn't be in the
> smtpd_relay/recipient_restrictions section. Is there a better place to define
> smtpd_relay/recipients configuration instead of main.cf?
in my opinion, the better place is in master.cf, for only the desired service
[e.g. submission]. to go a step further, cases like this can make good use of
restriction classes, so you can keep the majority of settings and activity in
main.cf - e.g.:
main.cf:
smtpd_restriction_classes =
base_recipient_restrictions,
submission_recipient_restrictions
base_recipient_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining
submission_recipient_restrictions =
base_recipient_restrictions,
permit_sasl_authenticated,
reject
master.cf:
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=submission_recipient_restrictions
-o smtpd_tls_key_file=/etc/postfix/mail.key
-o smtpd_tls_cert_file=/etc/postfix/mail.crt
-o smtpd_tls_security_level=encrypt
-o myhostname=mail.server.com
refer to the documentation and examples for more specifics on the submission
service, especially the other example overrides.
-ben
