Re: New default settings for "submission" service?

From: Robert Schetterer <robert_at_nospam>
Date: Tue Mar 13 2012 - 18:46:09 GMT
To: postfix-users@postfix.org

Am 13.03.2012 17:37, schrieb Patrick Ben Koetter:
> * Patrick Ben Koetter <postfix-users@postfix.org>:
>> * Wietse Venema <postfix-users@postfix.org>:
>>> Different sites have different needs, and perhaps it is an idea to
>>> provide *multiple* submission service examples in master.cf, all
>>> commented out of course. The first could be the recommended one:
>>> not allowing plaintext sessions is good as a general rule. The
>>> second example could allow plaintext sessions (level = may) but
>>> allow plaintext passwords only over encrypted sessions.
>
> Here are two examples we all seem to agree on. They differ in TLS
> (optional/mandatory) and the SASL mechanisms they allow depending on the TLS
> context.
>
> Additionally, both examples have SMTP session filters that check for syntactic
> deliverability (MSA job) and add required headers if they are missing.
>
> Filters and fixing headers is a change I'd propose, but nobody seems to have
> commented on yet. Agreed by everyone?
>
> As a safety net I would change smtpd_client_restrictions into
> smtpd_recipient_restrictions. This will give a client sufficient time to
> authenticate and permit_sasl_authenticated will work even if an admin changed
> the defaults for smtpd_delay_reject. It also makes it possible to filter for
> reject_non_fqdn_recipient, which the RFC I quoted says to be a MSA job.
>
>
> # submission example 1: Optional TLS with SASL methods safe to use over an
> # unencrypted network
> #submission inet n - - - - smtpd
> # -o smtpd_tls_security_level=may
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_sasl_security_options=noplaintext,noanonymous
> # -o smtpd_tls_sasl_security_options=noanonymous
> # -o always_add_missing_headers=yes
> # -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
>
>
> # submission example 2: Mandatory TLS and SASL only over an encrypted network
> #submission inet n - - - - smtpd
> # -o smtpd_tls_security_level=enforce
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_tls_auth_only=yes
> # -o always_add_missing_headers=yes
> # -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
>

Hi Patrick,

always_add_missing_headers (default: no)

Always add (Resent-) From:, To:, Date: or Message-ID: headers when
not present. Postfix 2.6 and later add these headers only when clients
match the local_header_rewrite_clients parameter setting. Earlier
Postfix versions always add these headers; this may break DKIM
signatures that cover non-existent headers.

are you sure that your example is safe with i.e dkim ?

-- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria

This message: [ Message body ]
Next message: Wietse Venema: "Re: New default for ldap version?"
Previous message: btb_at_nospam: "relocation of virtual_transport settings to master.cf service"
In reply to: Patrick Ben Koetter: "Re: New default settings for "submission" service?"
Next in thread: Scott Kitterman: "Re: New default settings for "submission" service?"
Reply: Scott Kitterman: "Re: New default settings for "submission" service?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]