On Tue, Oct 09, 2012 at 09:29:25AM -0600, Bob Beck wrote: > On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade <gil...@poolp.org> wrote: > > > > > I agree with you that people will probably not want port 587 without auth > > turned on so on a practical point of view, we could make it implicit. > > > > There's a syntax issue though because, users will likely be less surprised > > by: > > > > listen on bnx0 port submission [...] tls-require > > listen on bnx0 [...] tls-require > > > > than: > > > > listen on bnx0 port submission [...] # implicit tls-require > > listen on bnx0 [...] # not here though > > If there's no "require" for auth, just "auth" - then there's really no > confusion I think > > And there is a real normal use case for opportunistic (as opposed to > required) TLS. > I don't think there is one for auth on port 587. > > I.E. I think tls and tls-require make sense to have differentiated. > > I'm not sure it makes sense to have "auth" and "auth-required" - I > think "auth" should just mean it's required. >
Oh I get it but see my conf for instance: listen on bnx0 [...] auth accept from all for domain "opensmtpd.org" deliver to maildir accept for all relay Now keep in mind that the relay rule here can only be matched by a local or authenticated user. The distinction between auth and auth-require allows me to make auth optional so that random people can mail @opensmtpd.org but so that only eric, chl or I can relay mail elsewhere from that box. Now with: listen on bnx0 [...] auth-require accept from all for domain "opensmtpd.org" deliver to maildir accept for all relay people would need to auth on the server to be able to mail us. -- Gilles Chehade https://www.poolp.org @poolpOrg
