On Jul 4, 2013, at 20.44, W T Riker <wtriker....@gmail.com> wrote: > On 7/4/2013 8:36 PM, Wietse Venema wrote: >> W T Riker: >>> On 7/4/2013 8:01 PM, Wietse Venema wrote: >>>> gw1500: >>>>> It is not clear from the documentation if this is possible or how to do >>>>> it but I want to make authentication optional but if a user does >>>>> authenticate then I want to permit relaying. Can someone help? >>>> This is how permit_sasl_authenticated works. >>>> >>>> http://www.postfix.org/SASL_README.html#server_sasl_authz >>> Thanks for the reply. I already have that much working. Where I am stuck >>> is permitting relaying from authenticated users regardless of host while >>> prohibiting everything else. >> I answered the question how "to make authentication optional". >> >> Perhaps someone else can figure out what you mean with "permitting >> relaying from authenticated users while prohibiting everything else" >> when only seconds ago you asked how "to make authentication optional". >> >> Wietse >> > Sorry that I was not clear. With this configuration, will any > non-authenticated client still be able to deliver mail to a local > recipient but not be permitted to relay email to non-local recipients?
i'd counsel against this. instead, set up a proper submission service [see the commented out example in master.cf], and use separate streams for mx and submission. presumably you're asking about providing "relay" service for client [e.g. mua] software. clients should use submission [port 587], not port 25. port 25 is for servers to talk to other servers. setting up separate streams/services allows you to require encryption and authentication for all connections [eg. "clients"] to the submission service, and allows you to avoid offering it unnecessarily on port 25. -ben
