From: gilles@poolp.org Subject: Re: smtpd(8) should add missing date and message id headers also on port 465 To: "Christian Schulte" , tech@openbsd.org Date: Tue, 03 Sep 2024 23:05:50 +0000 September 4, 2024 12:47 AM, "Christian Schulte" wrote: > On 04.09.24 00:05, gilles@poolp.org wrote: > >> I'm not sure this is true: >> >> Submission *normally* takes place on port 587 but it may take place on port 25 >> with optional auth and in this case you can no longer express it this way, and >> we start needing other knobs to be introduced. >> >> Genuine interrogation: >> >> Is there a case where a session authenticates (implying TLS / SMTPS regardless >> of any port), submits a message and that message shouldn't be F_SUBMISSION ? > > AUTH got introduced to mitigate against open relays - access control. > > "Relaying denied. Authentication required." > > In my personal setup, I am running OpenSMTPD locally on my laptop setup > to use a smarthost it needs to authenticate to, so that the smarthost > allows relaying. In that scenario the smarthost would not be the > submitting agent, but just a relay. Not the first hop. It would not do > any harm if that smarthost would apply submission semantics, even if it > is the second hop, as the first hop already performed submission semantics. > Precisely. In this case, the smarthost can unconditionally apply submission semantic on authenticated sessions without harm. > That's just about the relaying part. If I would send a mail from the > laptop to a local user at that smarthost - so no relaying taking place - > this would work without authentication. In that scenario the smarthost > could not decide between submission or transfer based on authentication, > although the laptop would have authenticated either way. > Unsure I understand your example. smtp-in.poolp.org is my primary MX but it is also a smarthost for my workstation, my mail address can be reached through both paths. Can you provide me with an example where I can't decide submission or transfer on that setup based on authentication ? > So my answer would be: no (not yet). > > -- > Christian