Loading ...
Sorry, an error occurred while loading the content.

295025Re: Disabling user submission on port 25

Expand Messages
  • Jeroen Geilman
    Aug 27, 2013
    • 0 Attachment
      On 08/27/2013 05:24 AM, John Allen wrote:
      > On 26/08/2013 9:00 PM, Noel Jones wrote:
      >> On 8/26/2013 7:49 PM, LuKreme wrote:
      >>> OK, now that port 587 is working, I would like to disable user
      >>> submission via port 25. Not right now, but in a bit once people have
      >>> a chance to change their settings.
      >>> What do I do to prevent users sending via port25?
      >> Super easy...
      >> # main.cf
      >> smtpd_sasl_auth_enable = no
      >> Your master.cf submission entry probably already includes
      >> -o smtpd_sasl_auth_enable=yes
      >> If not, go ahead and add it to submission now so things don't break
      >> unexpectedly later.
      >> This won't prevent users from sending local mail to port 25, but
      >> they won't be able to authenticate and won't be able to relay. This
      >> usually isn't considered a problem, and changing it often causes
      >> other issues.
      >> -- Noel Jones
      > I based it something that Noel Jones wrote way back in 2008.
      > Create a file of the networks you wish to deny access to eg.
      > “Deny_Mynetworks_Access” the content of which will be the same
      > networks as those found in the mynetworks parameter of the main.cf
      > file for example:

      This is entirely unnecessary, since moving reject_unauth_destination in
      front of permit_mynetworks takes care of that.
      Everything after reject_unauth_destination is impervious to relay
      attempts, because it explicitly blocks all such attempts.
      Yes, relay_domains would be an exception to this - but think why domains
      are in relay_domains to begin with.

      > This should deny access to the smtp port (25) from the local networks
      > while allowing access to the submission port (587).

      So what you're saying is basically "to deny access from the networks in
      mynetworks, do this complicated thing" ?

      A simpler way to do that would be to not put these networks in mynetworks.

    • Show all 13 messages in this topic