On 3/12/2013 5:21 PM, Alex wrote: > Hi, > >>>>> This is normal operation for a general-purpose mail server. Mail to >>>>> local users can be received from anywhere (subject to spam >>>>> controls). Only authorized users can relay to a third-party >>>>> destinations. >>>>> >>>>> This is a typical setup for an internet-facing mail server. >>>> >>>> It's somewhat of an internal server, despite being connected to the >>>> Internet. No one was ever supposed to connect to it directly, and >>>> trying to convert everyone to SMTP Auth is going to be a challenge. >>> >>> The config for an internal server is pretty simple, something like >>> >>> smtpd_recipient_restrictions = >>> check_client_access hash:/etc/postfix/allowed_clients >>> check_client_access hash:/etc/postfix/pop-b-smtp >>> # next line optional >>> permit_mynetworks >>> # finally, reject anything not explicitly allowed >>> reject > > I have two different threads going for two different servers (one a > relay, one a mail store), so I don't want to make it confusing. This > is for the mail store. > > Will this set of restrictions above prevent the standard Internet user > who hasn't authenticated using pop-b-smtp from being able to send mail > to the local recipients? That is what I'd like to be able to do.
Yes. Although see my other mail about a more secure config; probably better to use that. smpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/pop-b-smtp reject_unauth_destination check_client_access hash:/etc/postfix/allowed_clients reject The final reject insures that random clients cannot send you mail. > pop-b4-smtp is so old that I'm reluctant to continue to maintain it on > the new system, but it may just be to my benefit instead of the > difficulty with forcing SMTP Auth from the day the server goes live. Absolutely a good time to require AUTH and get away from p-b-smtp. > Standard users on the Internet should not be mailing this server > directly, so I'd like to either require pop-b4-smtp or SMTP Auth and > otherwise reject mail outright. > > Shouldn't I just eliminate pop-b4-smtp in this day and age and require > SMTP Auth? Yes. There was a time when some mainstream mail clients didn't support AUTH, or supported it poorly, hence the need for p-b-smtp. There was also a time it was considered good manners to be an open relay so your neighbors could use your server. Both those have outlived their usefulness. -- Noel Jones
