On 10/21/09 17:47, Sahil Tandon wrote:
On Wed, 21 Oct 2009, johnea wrote:
Generally, the output of 'postconf -n' is preferred in lieu of snippets
or entire main.cf dumps.
Next time, exclude the comments. :)
Will do, thank you for those tips
What ever you decide, just make sure to use reject_unauth_destination as
early as possible to avoid becoming an open relay.
I went with this modified setting in master.cf since it required no
change in main.cf:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
OT?: I commented out the: # -o milter_macro_daemon_name=ORIGINATING
since this wasn't a listed value for this parameter in the docs,
and I wasn't sure what that line was doing.
The main.cf remained unchanged with these restrictions:
atom# postconf -n | grep _restrictions
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unknown_client_hostname,
reject_unauth_destination,
check_policy_service unix:private/policy
smtpd_sender_restrictions = permit_mynetworks,
reject_unauthenticated_sender_login_mismatch
Another related but somewhat OT question: Since the users are now migrated
to exclusively using the submission port; Should I remove the 3
permit_mynetworks and the permit_sasl_authenticated?
If the permit_* statements are removed, should reject_unauth_destination be
moved to the top of the smtpd_recipient_restrictions list?
Thank You Sahil
johnea
