Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Noel Jones (njonesmegan.vbhcs.org)
Date: Fri Mar 13 2009 - 11:38:46 CDT
> On 13-Mar-2009, at 09:04, Jorey Bump wrote:
>>> For the people still supporting the antiquated model of accepting mail
>>> submission via SMTP rather than a proper port 587 daemon, it is
>>> important to make allowances for the fact that MUA's frequently have no
>>> better choice for their HELO argument than an IP literal, and sometimes
>>> even that is pretty lousy (i.e. an ephemeral RFC1918 private IP)
>> MUA HELOs are problematic in many ways. But you're absolutely right,
>> this is best handled by delaying this sort of check_helo_access until
>> smtpd_recipient_restrictions, after permit_mynetworks &
>> permit_sasl_authenticated, if you support submission on SMTP port 25 on
>> an MX server.
> OK, this piqued my interest. I have 587 setup, and I also have a couple
> of alternate ports in the 1025+ range to deal with any users unlucky
> enough to be behind draconian ISPs, but I do still accept mail on port
> 25. In fact, I wasn't even aware that you could force users to use the
> submission port.
You can't "prevent" them from connecting to port 25, but you
can make it less useful by not allowing them to relay.
Or you can be really draconian and reject your own domain as
sender from unauthenticated/unauthorized clients.
It's then usually enough to point them to a web page with
I don't know if I would go so far as to say this is a
recommended setup, but it since it cleanly separates your
traffic it makes applying separate policies (ie. spam/virus
controls, DKIM, logs, whatever) to authenticated users easier.
> Where's the read me on configuring master.cf for this, as I think it
> might be worth looking at.
No specific readme on this, just configure the existing
restrictions to do what you want. Maybe this helps a little
Just remove permit_sasl_authenticated from the port 25
listener (and maybe restrict mynetworks to only clients that
can't authenticate). This is usually done by removing
permit_sasl_authenticated from main.cf and adding -o
(and maybe other options such as syslog_name) to the master.cf
-- Noel Jones