On 12/9/2011 10:15 AM, Grant wrote: >>>>> master.cf: >>>>> >>>>> submission inet n - n - - smtpd >>>>> -o smtpd_sasl_auth_enable=yes >>>>> -o >>>>> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject >>>>> >>> >>> You should also have: >>> >>> smtpd_tls_security_level=encrypt >>> >>> for the submission service... >>> >> >> >> Normally yes, but OP is using submission for unencrypted, >> unauthenticated local mail. >> >> I also suggested he explicitly set -o smtpd_tls_auth_only=yes and >> add reject_plaintext_session, but apparently he knows better. > > Alright, I thought my config rendered those unnecessary/redundant, but > apparently not? > > - Grant
I carefully chose all those options to make submission as secure as possible while still allowing ONLY localhost to submit unencrypted/unauthenticated mail. The options I suggested are not all required, but all are included for a reason -- either because they enhance security or because they protect you from accidents in main.cf. You are, of course, free to configure your server any way you please. But it's rather annoying when you ask for expert advice and then announce you'll do something different. Repeatedly. -- Noel Jones
