Re: FW: Authentication issues
On Sat, Aug 24, 2013 at 10:01:08AM -0400, David Hulsebus wrote:
> > Probably better is to only offer AUTH on submission port 587
> > with required encryption, and not offer AUTH at all on port 25.
> That is exactly what I want to do. If I uncomment this in the
> master.cf does it force TLS encryption on port 587 before
> authentication? If not, how would I do that?
> submission inet n - - - - smtpd
> -o smtpd_tls_security_level=encrypt
This means any command after EHLO and before STARTTLS will be
rejected. TLS encryption is mandatory. See smtpd_tls_auth_only as
well; that would mean that AUTH is not even offered in the initial
unencrypted EHLO response. The client must STARTTLS first.
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
If you're not allowing relay on port 25, you would remove permit_*
restrictions from smtpd_recipient_restrictions in main.cf and change
this from client to recipient.
> -o milter_macro_daemon_name=ORIGINATING
A non-standard smtpd instance should also have syslog_name set, to
distinguish it in logs from other smtpd instances.
> Further, how do I not allow AUTH on port 25. I can't glean it
> from the docs.
By default AUTH is not offered. You enabled that with this in
smtpd_sasl_auth_enable = yes
If you remove that, you do not offer AUTH. You already have the
override set for submission.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: