On 2012/10/09 18:49, Alexander Hall wrote: > On 10/09/12 17:38, Gilles Chehade wrote: > >On Tue, Oct 09, 2012 at 09:29:25AM -0600, Bob Beck wrote: > >>On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade <gil...@poolp.org> wrote: > >> > >>> > >>>I agree with you that people will probably not want port 587 without auth > >>>turned on so on a practical point of view, we could make it implicit. > >>> > >>>There's a syntax issue though because, users will likely be less surprised > >>>by: > >>> > >>> listen on bnx0 port submission [...] tls-require > >>> listen on bnx0 [...] tls-require > >>> > >>>than: > >>> > >>> listen on bnx0 port submission [...] # implicit tls-require > >>> listen on bnx0 [...] # not here though > >> > >>If there's no "require" for auth, just "auth" - then there's really no > >>confusion I think > >> > >>And there is a real normal use case for opportunistic (as opposed to > >>required) TLS. > >>I don't think there is one for auth on port 587. > >> > >>I.E. I think tls and tls-require make sense to have differentiated. > >> > >>I'm not sure it makes sense to have "auth" and "auth-required" - I > >>think "auth" should just mean it's required. > >> > > > >Oh I get it but see my conf for instance: > > > > listen on bnx0 [...] auth > > accept from all for domain "opensmtpd.org" deliver to maildir > > accept for all relay > > > >Now keep in mind that the relay rule here can only be matched by a > >local or authenticated user. > > > >The distinction between auth and auth-require allows me to make auth > >optional so that random people can mail @opensmtpd.org but so that > >only eric, chl or I can relay mail elsewhere from that box. > > > >Now with: > > > > listen on bnx0 [...] auth-require > > accept from all for domain "opensmtpd.org" deliver to maildir > > accept for all relay > > > >people would need to auth on the server to be able to mail us. > > I think Bob's point is that then you use 587 (with auth) for > yourselves and 25 (without auth) for mail from the rest of the > intertubes.
Sometimes you need 25 with auth, some stupid clients exist which support auth but make it difficult to change the port number.
