> After making /etc/shadow readable by the mail group, it kinda works. Is
> it really necessary to change permission on /etc/shadow?
Where in the processing flow does it fail without that change?
> "Kinda works" means that I can now send messages via port 587 without
> any authentication at all, with unencrypted authentication and when
> using STARTTLS. Authentication and encryption must be required, though.
So now you need to block 587 to non-auth'd use. Do that in your
mail-from ACL.
