On Fri, Jan 30, 2015 at 05:27:59AM +0000, srach wrote: > >> ?1. Know for sure that the relay mail comes from the #1 server.? A added > >> header can be made fake so I look for a better way that is not possible to > >> fake. > > > Restrict access to the non-default port via TLS client certs or SASL.
And I often find it easier to configure client certs, no SASL or PAM configuration nightmares. :-) > With the SASL opportunity is it still true that Postfix with the Dovecot SASL > where I am building Postfix with > > -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE="dovecot" > > is not possible to use as SASL client but only Cyrus? Indeed Dovecot only provides the (complex) server-side of SASL. The client side still requires Cyrus SASL support, so you can build with both. > With the TLS client cert opportunity for authenticating my Postfix relay as > client to the other mail server that is receiving the relay mail I have some > small confusion. -o smtpd_tls_security_level=encrypt -o smtpd_tls_ask_ccert=yes # If all clients need a cert on this port # -o smtpd_tls_req_ccert=yes on port 587 or whatever you choose for the relay-to-relay service port. > When I make the self-signed client certificate for my Postfix relay instance > I have read that I must give it the email address of the 'login user' exactly > so it can be a match? Nothing of the sort. Postfix access control between the relays will be by "fingerprint". Just set: # Default, backwards-compatible, md5 "looks bad" in audits: # SHA-1 still has plenty of 2nd-preimage resistance: # smtpd_tls_fingerprint_digest = sha1 > I do not know which user I must give?? Becuase there > will be mail for many different users that will be relayed? I'd have said something about that if it were relevant. -- Viktor.