[TriLUG] Postfix, Thunderbird and Submission

Aaron Schrab aaron at schrab.com
Mon Nov 28 10:39:50 EST 2011 

At 07:04 -0800 28 Nov 2011, Brian McCullough <bdmc at bdmcc-us.com> wrote:

>Folks,
>
>Last night I fired up Thunderbird in my Ubuntu box ( 3.1.15 in a 10.10 
>environment, if I remember correctly ), and discovered that it ( the 
>combination of Thunderbird and Postfix with Dovecot ) was not happy at 
>all about delivering mail that I composed in Thunderbird.
>
>Thunderbird is configured to send to port 587 with TLS on my mail 
>server.
>
>I went through the SASL documentation in /usr/doc/postfix and followed 
>the suggestions there, the parts that were not already in my main.cf, 
>and was able to start sending mail.
>
>However, I discovered a while later that I was not receiving anything 
>at all through port 25.
>
>I removed the additions and mail started flowing again, but I expect 
>that I will not be able to send mail using Thunderbird any more.
>
>Would moving those changes from main to master ( on port 587 ) be a 
>reasonable solution, or am I out of luck?

It's impossible to say without knowing what changes you actually made to 
main.cf, but at least some of the probably belong in master.cf.

For proper setup of the submission port (587) at least some settings 
need to be specified in master.cf, since the entire point of it is to 
have a different policy than is used for port 25.  Port 25 needs to 
allow mail from anybody (possibly excepting filtered sites) if it's 
addressed to a recipient handled by the receiving server, but port 587 
should only allow messages from authorized users.  If you made all of 
the changes to main.cf, the problem is likely that postfix was requiring 
authentication from mail servers that are trying to send messages to 
you.

Generally, you'd want to do general setup of SASL in main.cf, then just 
override the smtpd_*_restrictions for the submission port in master.cf.

Here's what I have in master.cf for the submission port:

submission inet n       -       -       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_helo_restrictions=permit
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

I require that all connections use encryption (using STARTTLS, listed as 
TLS in Thunderbird), undo restrictions on the HELO command that I have 
in place for port 25, and allow messages iff they're from an 
authenticated client.

When I set that up I also added permit_sasl_authenticated to the 
smtpd_recipient_restrictions in main.cf so that authenticated clients 
can also send through port 25, but I don't think that I ever actually 
make use of that.

I also have permit_sasl_authenticated in smtpd_client_restrictions 
before my reject_rbl_client, so that authenticated clients can send 
messages even if their IP address is in one of the black lists that I 
use.

More information about the TriLUG mailing list