Re: Disabling user submission on port 25
- On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
> A simpler way to do that would be to not put these networks in mynetworks.Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.
I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.
Space Directive 723: Terraformers are expressly forbidden from
- On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
> On 08/27/2013 05:24 AM, John Allen wrote:If I remember correctly the question was how do I stop local users using
>> On 26/08/2013 9:00 PM, Noel Jones wrote:
>>> On 8/26/2013 7:49 PM, LuKreme wrote:
>>>> OK, now that port 587 is working, I would like to disable user
>>>> submission via port 25. Not right now, but in a bit once people
>>>> have a chance to change their settings.
>>>> What do I do to prevent users sending via port25?
>>> Super easy...
>>> # main.cf
>>> smtpd_sasl_auth_enable = no
>>> Your master.cf submission entry probably already includes
>>> -o smtpd_sasl_auth_enable=yes
>>> If not, go ahead and add it to submission now so things don't break
>>> unexpectedly later.
>>> This won't prevent users from sending local mail to port 25, but
>>> they won't be able to authenticate and won't be able to relay. This
>>> usually isn't considered a problem, and changing it often causes
>>> other issues.
>>> -- Noel Jones
>> I based it something that Noel Jones wrote way back in 2008.
>> Create a file of the networks you wish to deny access to eg.
>> “Deny_Mynetworks_Access” the content of which will be the same
>> networks as those found in the mynetworks parameter of the main.cf
>> file for example:
> This is entirely unnecessary, since moving reject_unauth_destination
> in front of permit_mynetworks takes care of that.
> Everything after reject_unauth_destination is impervious to relay
> attempts, because it explicitly blocks all such attempts.
> Yes, relay_domains would be an exception to this - but think why
> domains are in relay_domains to begin with.
>> This should deny access to the smtp port (25) from the local networks
>> while allowing access to the submission port (587).
> So what you're saying is basically "to deny access from the networks
> in mynetworks, do this complicated thing" ?
> A simpler way to do that would be to not put these networks in
port 25, while allowing them to access port 587. I felt that the
restriction should be applied to SMTP and not to SUBMISSION.
I agree that my solution is not very good and I think that Stan
Hoeppner's response is a much more elegant solution than mine.
- On 8/27/2013 6:34 PM, John Allen wrote:
> On 27/08/2013 6:09 PM, Jeroen Geilman wrote:To be clear, I wasn't offering a solution to the OP's requirement, but
>> A simpler way to do that would be to not put these networks in
> If I remember correctly the question was how do I stop local users using
> port 25, while allowing them to access port 587. I felt that the
> restriction should be applied to SMTP and not to SUBMISSION.
> I agree that my solution is not very good and I think that Stan
> Hoeppner's response is a much more elegant solution than mine.
simply cleaning up and optimizing your approach into something that
would actually work.
Jeroen offered the solution.