On Wed, Aug 19, 2015 at 12:30:55PM -0500, Paul Schmehl wrote:
> >The port 465 wrapper-mode service is for mail submission, and so
> >should allow only authenticated users, and let them send outbound
> >mail. Or perhaps you don't need it at all, if you don't know
> >what it is for.
>
> No need to be unkind, Victor. I do this on a volunteer basis, and I'm not
> an email expert.
No unkindness intended, the idea is that if you don't know what
the service is for, likely you don't actually need it. But it
sounds like you might need it...
> I thought that -o smtpd_sasl_auth_enable=yes meant that only authenticated
> users could send mail from outside the domain. Is that not true?
No, that just means that SASL authentication is *allowed*, but it
is not automatically *required*. For that, see the stock master.cf
that ships with Postfix, it has a stock port 465 entry commented
out:
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
If your Postfix is older than 2.10, use "smtpd_recipient_restrictions"
instead of "smtpd_relay_restrictions".
> >use the "filter" transport.
> >
> >>> filter unix - n n - - pipe
> >>> flags=Rq user=filter
> >>> argv=/usr/local/bin/filter.sh -f ${sender} -- ${recipient}
> >
> >Why would you proceed to fully comment it out, when informed to do
> >the opposite?
> >
>
> I commented out filter, because it wasn't working. You then complained
> about the argv line, because I used grep -v "#" to show what was in the
> master.cf file, and that apparently confused you. So I commented it out was
> well.
When it is broken, you need to fix it, not comment it out, *and*
when commenting out multi-line entries in master.cf, you have to
comment out *each* line, not just the first.
> >Do you want that "filter.sh" script to scan all inbound mail or not?
>
> Of course I do, but it wasn't working, which is why I removed it.
Well, that can't work, because you're configured to use it.
See
http://www.postfix.org/FILTER_README.html#simple_filter
http://www.postfix.org/FILTER_README.html#simple_turnoff
--
Viktor.
