/dev/rob0:
> On Fri, Jan 08, 2010 at 10:23:38AM -0500, Wietse Venema wrote:
> > /dev/rob0:
> > > On Fri, Jan 08, 2010 at 08:37:16AM -0500, Shaun T. Erickson wrote:
> > > > Yes, this is what is shown in the SASL Howto and how I have had
> > > > my server's submission port configured in the past.
> > > >
> > > > However, in the 2.6.2 postfix distribution I'm trying to
> > > > configure now, the default definition of the submission port
> > > > uses the same restrictions, but it applies them to the
> > > > smtpd_CLIENT_restrictions parameter, NOT the
> > > > smtpd_RECIPIENT_restrictions parameter. I'm trying to
> > > > understand if that is just a typo in master.cf or if the change
> > > > is legit and, if so, why.
> > >
> > > Here's the example to which you refer:
> > > #submission inet n - n - - smtpd
> > > # -o smtpd_tls_security_level=encrypt
> > > # -o smtpd_sasl_auth_enable=yes
> > > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > >
> > > If you have already configured your smtpd_recipient_restrictions in
> > > main.cf to allow SASL AUTH, this example does indeed work. It's
> > > probably not a typo, but I agree, it can be confusing. Why do this
> > > with smtpd_client_restrictions, and yet assume that you didn't have
> > > smtpd_sasl_auth_enable=yes in main.cf already?
> >
> > The purpose of the submission service is to accept mail only from
> > authenticated clients.
>
> This, I understand.
>
> > The above submission entry implements this
> > particular requirement without depending on main.cf settings.
>
> This, I do not.
The submission service accepts mail only from authenticated clients.
To implement this, the master.cf entry enforces these requirements:
a) the requirement that the client encrypts the connection TLS.
b) the requirement that the client authenticates with SASL.
The master.cf entry enforces this without depending on main.cf
configuration.
In particular,
a) It does not depend on TLS being enabled or required in main.cf.
b) It does not depend on SASL being enabled or required in main.cf.
Wietse
