Re: Is this sane submission setup?
On 4/29/2016 2:02 AM, Alice Wonder wrote: > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_client_restrictions=permit_mynetworks,reject > -o > smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination > -o milter_macro_daemon_name=ORIGINATING > > -=-=- > > The goal: > > Set up a postfix server that exists solely to relay blog > notifications from a different host. > > I want it to use port 587 for this so that anything sent to port 25 > can just be blocked. > > I want it to only relay connections from hosts specified in mynetworks > > I want it to require authentication > > The from address will vary by which blog is connecting to send > notifications, I don't want it to care about the from address. If you intend to require BOTH mynetworks AND auth, you'll need something like: (reject not-mynetworks) -o smtpd_client_restrictions=permit_mynetworks,reject (reject not-auth) -o smtpd_recipient_restrictions=permit_sasl_sasl_authenticated,reject The other stuff is OK. -- Noel Jones
Re: Is this sane submission setup?
On 04/29/2016 06:34 AM, Charles Marcus wrote: On 4/29/2016 3:02 AM, Alice Wonder wrote: submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination What about permit_sasl_authenticated ? Without that external clients will not be able to use it. Thank you Also, personally I would *never* allow unauthenticated, except only from specific older clients that don't support SASL AUTH - and I would do that on a separate port with additional checks - but that is me, I know it isn't uncommon to do this. That's the relay_restrictions? What I'm trying to have it do is define the blog hosts (there are three or four of them, with about 20 different domain names on each host) can connect over 587 with authentication but that even with the right uname / password, connection is refused from any other host.
Re: Is this sane submission setup?
On 4/29/2016 3:02 AM, Alice Wonder wrote: > submission inet n - n - - smtpd >-o syslog_name=postfix/submission >-o smtpd_tls_security_level=encrypt >-o smtpd_sasl_auth_enable=yes >-o smtpd_reject_unlisted_recipient=no >-o smtpd_client_restrictions=permit_mynetworks,reject >-o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination What about permit_sasl_authenticated ? Without that external clients will not be able to use it. Also, personally I would *never* allow unauthenticated, except only from specific older clients that don't support SASL AUTH - and I would do that on a separate port with additional checks - but that is me, I know it isn't uncommon to do this.
Re: Differentiate sending from LMTP and SMTP based on email address
This is Postfix: 550 5.1.1 : Recipient address rejected: undeliverable address: host 10.0..0.1[10.0.0.1 said: This is qmail: 553 sorry, your envelope sender domain must exist (#5.7.1) This is Postfix again: (in reply to MAIL FROM command)
Is this sane submission setup?
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination -o milter_macro_daemon_name=ORIGINATING -=-=- The goal: Set up a postfix server that exists solely to relay blog notifications from a different host. I want it to use port 587 for this so that anything sent to port 25 can just be blocked. I want it to only relay connections from hosts specified in mynetworks I want it to require authentication The from address will vary by which blog is connecting to send notifications, I don't want it to care about the from address.
