Max Pyziur pyz@brama.com wrote:
Are there any views in this CentOs user community on [using port 587]?
Yes. Not only is enabling 'submission' a good idea, but you should also enable 'smtps' (which is different from smtp+tls):
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
To authenticate, users would first have to POP their mail.
Is there a better way of doing this?
As others have said, yes. Details:
Have the users do authentication over smtp+tls, submission, or smtps (you should enable all three and let the users pick as the optimal solution varies with email client).
To do this safely, you *must* ensure that you only permit someone to authenticate if they're on an encrypted session.
define(`confAUTH_OPTIONS', `A,p,y')dnl TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')dnl define(`confTLS_SRV_OPTIONS', `V')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
You need to set up saslauthd to support it. I use saslauthd to query ldap. My systems also use cyrus imapd as the MDA, although you could use other MDAs.
Remember to set up SSL (confCACERT_PATH, confCACERT, confSERVER_CERT, confSERVER_KEY).
Devin