On 7/5/2013 12:27 AM, b...@bitrate.net wrote:
> On Jul 4, 2013, at 20.44, W T Riker <wtriker....@gmail.com> wrote:
>
>> On 7/4/2013 8:36 PM, Wietse Venema wrote:
>>> W T Riker:
>>>> On 7/4/2013 8:01 PM, Wietse Venema wrote:
>>>>> gw1500:
>>>>>> It is not clear from the documentation if this is possible or how to do
>>>>>> it but I want to make authentication optional but if a user does
>>>>>> authenticate then I want to permit relaying. Can someone help?
>>>>> This is how permit_sasl_authenticated works.
>>>>>
>>>>> http://www.postfix.org/SASL_README.html#server_sasl_authz
>>>> Thanks for the reply. I already have that much working. Where I am stuck
>>>> is permitting relaying from authenticated users regardless of host while
>>>> prohibiting everything else.
>>> I answered the question how "to make authentication optional".
>>>
>>> Perhaps someone else can figure out what you mean with "permitting
>>> relaying from authenticated users while prohibiting everything else"
>>> when only seconds ago you asked how "to make authentication optional".
>>>
>>> Wietse
>>>
>> Sorry that I was not clear. With this configuration, will any
>> non-authenticated client still be able to deliver mail to a local
>> recipient but not be permitted to relay email to non-local recipients?
> i'd counsel against this. instead, set up a proper submission service [see
> the commented out example in master.cf], and use separate streams for mx and
> submission. presumably you're asking about providing "relay" service for
> client [e.g. mua] software. clients should use submission [port 587], not
> port 25. port 25 is for servers to talk to other servers. setting up
> separate streams/services allows you to require encryption and authentication
> for all connections [eg. "clients"] to the submission service, and allows you
> to avoid offering it unnecessarily on port 25.
>
> -ben
Indeed this is using port 587. I did not realize that that in itself was
sufficient to prevent relaying from non-authenticated clients. Thanks.
