Bonjour mouss,
On Fri, Jan 08, 2010 at 09:53:42PM +0100, mouss wrote:
> /dev/rob0 a écrit :
> > On Fri, Jan 08, 2010 at 10:23:38AM -0500, Wietse Venema wrote:
> >> /dev/rob0:
> >> The purpose of the submission service is to accept mail only from
> >> authenticated clients.
> >
> > This, I understand.
> >
> >> The above submission entry implements this
> >> particular requirement without depending on main.cf settings.
> >
> > This, I do not.
> >
> > $ /usr/sbin/postconf -dh smtpd_recipient_restrictions
> > permit_mynetworks, reject_unauth_destination
> >
> > If a client from outside $mynetworks attempts to relay to
> > external addresses, and AUTH succeeds, it passes
> > smtpd_client_restrictions. But in smtpd_recipient_restrictions
> > it gets "Relay access denied". It would work if either the
> > client is in $mynetworks, or if the main.cf setting of
> > smtpd_recipient_restrictions has had permit_sasl_authenticated
> > added as per SASL_README.
I'm still confused; the point of confusion being that of purpose and
utility. Wietse said above, "The purpose of the submission service is
to accept mail only from authenticated clients." Fine. But I think
it's rather useless unless it enables offsite users to relay to any
address, internal or external.
The master.cf example does not cover this unless as I noted, the
default smtpd_recipient_restrictions has been changed. I don't see
much real-world use for this, assuming basically default settings, as
documentation examples must. Do you?
1. An authenticated TLS client in $mynetworks can send anywhere using
this example. So what? That client can do the same on port 25 without
the trouble of TLS & AUTH, with default settings.
2. An authenticated TLS client outside $mynetworks can send to any
local/virtual/relay domains using this example. So what? If that
client can get in on port 25, it can do the same without TLS & AUTH,
with default settings.
> >> This is done for robustness reasons.
> >
> > I think, as the OP noted, that the example is confusing, and should
> > be changed as follows:
> > #submission inet n - n - - smtpd
> > # -o smtpd_tls_security_level=encrypt
> > # -o smtpd_sasl_auth_enable=yes
> > # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
I think my suggestion makes a more useful real-world submission
service, that's all. Don't you allow your authenticated submission
users to relay?
Clearly, the OP had read enough of the documentation to understand
how to make a useful submission service, else the question would
never have been asked, so indeed no harm resulted from the confusion.
And Wietse can take it or leave it. No reply expected nor necessary
in either case, so let's move on. :)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
