On Fri, May 31, 2013 at 11:15:05AM -0400, James Zee wrote:
> On Fri, May 31, 2013 at 8:09 AM, /dev/rob0 <r...@gmx.co.uk> wrote:
> > On Fri, May 31, 2013 at 12:43:51AM -0400, James Zee wrote:
snip
> > Also, you really should separate submission from your inbound
> > port 25. I only allow relaying on the submission port. As such
> > I define separate smtpd_*_restrictions for the submission port,
> > to wit:
> >
> > [ master.cf ]
> >
> > submission inet n - n - - smtpd
> > -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes
These two options are not set globally, but only for submission.
> > -o smtpd_recipient_restrictions=
This one is unset, to override the main.cf default.
> > -o smtpd_relay_restrictions=$submission_relay_restrictions
And this one is set to a non-standard name which is defined in the
main.cf file.
> > -o milter_macro_daemon_name=ORIGINATING
> > -o syslog_name=postfix/submission
> >
> > (Also unset any other restrictions which are in use on port 25.)
If you had any other smtpd_*_restrictions set in main.cf, they should
be unset here just as was shown for smtpd_recipient_restrictions.
> Thanks for the tip. This is a good idea that I just attempted to
> implement based on some reading / research.
>
> Forgive the lack of knowledge in this particular field -- like your
> postscreen readme indicated, I'm attempting to walk before I run. :)
> Any gentle guidance on things to improve in this master.cf snippet
> would be definitely appreciated and humbly accepted.
>
> -->8--
>
> submission inet n - - - - smtpd
Your chroot issues are between you and the Debian maintainer. I will
have no part of it, thank you. :)
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
You did not override the main.cf settings I showed you above.
> smtps inet n - - - - smtpd
> -o syslog_name=postfix/smtps
smtps is deprecated, and was never actually finalized as a protocol.
Only old (and highly vulnerable) Microsoft clients need it, being
unable to STARTTLS in submission. Those clients are not worth
supporting. Tell your users to download Thunderbird.
> --8<--
>
> Look good?
It was not what I said.
snip
> >> reject_unauth_destination
> >
> > smtpd_relay_restrictions has this, so it's not needed here.
> > OTOH perhaps you did need the permit_* restrictions you have
> > omitted; everything here will also be applied to your own
> > users: very wrong!
>
> Can you please clarify?
Every smtpd_* postconf(5) setting you define in main.cf applies to
every smtpd(8) instance you invoke from master.cf except where the
master.cf command line explicitly overrides those settings.
Did you test relaying with the settings in the OP? I'm guessing you
did not.
> I omitted permit_* restrictions because I didn't think that they
> were necessary if a message passed all of the reject restrictions.
> Should I be explicitly defining a permit? If so, where and why?
If you define an optional restriction stage (and with
smtpd_relay_restrictions in Postix(sic)[1] 2.10 and later,
smtpd_recipient_restrictions is optional), it is evaluated for every
connection to every smtpd, unless as I mentioned a few times above,
overridden in the master.cf command line.
SMTPD_ACCESS_README.html#lists explains how this works. For a message
to be accepted, every restriction stage must evaluate to a permit
action.
You have your permit_* restrictions in smtpd_relay_restrictions, but
not in smtpd_recipient_restrictions. Therefore, relaying is
forbidden by smtpd_recipient_restrictions.
[1] Wietse, this is a typo in the man page at the end of
postconf.5.html#smtpd_relay_restrictions
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
