On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
> On 08/27/2013 05:24 AM, John Allen wrote:
>> On 26/08/2013 9:00 PM, Noel Jones wrote:
>>> On 8/26/2013 7:49 PM, LuKreme wrote:
>>>> OK, now that port 587 is working, I would like to disable user
>>>> submission via port 25. Not right now, but in a bit once people
>>>> have a chance to change their settings.
>>>> What do I do to prevent users sending via port25?
>>> Super easy...
>>> # main.cf
>>> smtpd_sasl_auth_enable = no
>>> Your master.cf submission entry probably already includes
>>> -o smtpd_sasl_auth_enable=yes
>>> If not, go ahead and add it to submission now so things don't break
>>> unexpectedly later.
>>> This won't prevent users from sending local mail to port 25, but
>>> they won't be able to authenticate and won't be able to relay. This
>>> usually isn't considered a problem, and changing it often causes
>>> other issues.
>>> -- Noel Jones
>> I based it something that Noel Jones wrote way back in 2008.
>> Create a file of the networks you wish to deny access to eg.
>> “Deny_Mynetworks_Access” the content of which will be the same
>> networks as those found in the mynetworks parameter of the main.cf
>> file for example:
> This is entirely unnecessary, since moving reject_unauth_destination
> in front of permit_mynetworks takes care of that.
> Everything after reject_unauth_destination is impervious to relay
> attempts, because it explicitly blocks all such attempts.
> Yes, relay_domains would be an exception to this - but think why
> domains are in relay_domains to begin with.
>> This should deny access to the smtp port (25) from the local networks
>> while allowing access to the submission port (587).
> So what you're saying is basically "to deny access from the networks
> in mynetworks, do this complicated thing" ?
> A simpler way to do that would be to not put these networks in
If I remember correctly the question was how do I stop local users using
port 25, while allowing them to access port 587. I felt that the
restriction should be applied to SMTP and not to SUBMISSION.
I agree that my solution is not very good and I think that Stan
Hoeppner's response is a much more elegant solution than mine.