Hi, >> I have a fedora14 box that I'm trying to configure for use with >> postfix with dovecot and TLS, permitting only TLS connections after >> authenticating with sasl. > > What do you mean, *after* ?
Oops. I'm still learning this, and think I got confused writing this so late last night. >> Apr 2 01:03:55 fc14 postfix/smtpd[10284]: NOQUEUE: reject: RCPT from >> unknown[184.XXX.XX.223]: 553 5.7.1<[email protected]>: Sender >> address rejected: not owned by user alex; from=<[email protected]> >> to=<[email protected]> proto=ESMTP >> helo=<184-XXX-XXX-223.pools.mycellphone.net> >> > > You're not authenticated. > >> smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders >> smtpd_sender_restrictions = reject_sender_login_mismatch >> > > This rejects mail from SASL'ed clients who are not in the map AND > non-SASL'ed clients who ARE in the map. > The above log line matches the latter condition, hence why it says that. > >> smtpd_tls_auth_only = yes >> > > SASL is not offered before a secure connection is established. > >> smtpd_tls_security_level = encrypt >> > > However, TLS is mandatory. > >> Are there any other options I should be concerned about with regards >> to security, and ensuring I don't become a relay or risk of >> unauthorized access? >> > > Fix your client to properly use TLS AND THEN SASL. I'm using the K9 client for Android. Using this method with TLS and SASL I need port 25 open for SMTP and TLS, and 587 for submission and SASL, correct? Thanks, Alex
