Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th February 2008, 20:11
rtg20 rtg20 is offline
Junior Member
 
Join Date: Feb 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default securing postfix - smtp auth on port 587 only

Hi everyone,

I have postfix running on an Ubuntu system, handling the e-mail for a handful of users. Currently I tell people to send e-mail using SMTP with authentication on port 587 with TLS enabled - which is what I want.

However the server also accepts mail on port 25 with authentication and no TLS. I want to change this so port 25 is used only for my server to receive mail from elsewhere (other servers). I want my users to be able to send on port 587 with TLS etc. ONLY.

Please can someone tell me how to do this? I think i need to tweak my master.cf but i'm not sure exactly how. Here it is:

#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache

587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

(there's some other non-Postfix stuff at the bottom but I don't think that's relevant).

thanks in advance for the help!

Richard
Reply With Quote
Sponsored Links
  #2  
Old 5th February 2008, 18:36
rtg20 rtg20 is offline
Junior Member
 
Join Date: Feb 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Please can someone help me...? *please*...?

thanks!
Reply With Quote
  #3  
Old 24th February 2008, 10:47
swindmill swindmill is offline
Junior Member
 
Join Date: Feb 2008
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am looking to do basically the same thing.

Anyone know if it is possible to have postfix listen on two ports with independent options?
Reply With Quote
  #4  
Old 24th February 2008, 12:58
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Frankly i dont understand why one would want a setup like this, the reason why STARTTLS was invented was for port 25 to be able to receive both normal unencrypted connections and also enable clients to do relaying with SMTP-AUTH with TLS encryption.

The proper setup for a mail server is run only one port with SMTP auth only advertised if your connection is TLS encrypted. Meaning when you issue a HELO to the server you will not see auth advertised. A EHLO will tell you to STARTTLS to gain access to SMTP-AUTH. Only after STARTTLS do you gain access to SMTP-AUTH
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #5  
Old 24th February 2008, 17:22
swindmill swindmill is offline
Junior Member
 
Join Date: Feb 2008
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm personally not as worried about the TLS situation, but moreso just looking to have postfix listen on a port in addition to 25 for smtp traffic but to ONLY allow e-mail to be received on this port if the user has authenticated.

I use an external spam/virus filtering service and have my server firewalled to only allow incoming port 25 traffic from the service's servers.

I would like my users to utilize a seperate port, but for this port to not become another means of spam to enter my server.

I'm not sure whether spammers in the wild are using alternative submission ports?
Reply With Quote
  #6  
Old 25th February 2008, 04:41
tonton01 tonton01 is offline
Junior Member
 
Join Date: Feb 2008
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Not sure if this helps rtg20, but maybe you might want to consider doing a gateway server.

-Your gateway will only receive on port 25 and checks your main server if the recipient exist before it relays to the main server. No other ports are open for entry for this server.

-Your users sends through the main server on port 587.

Now your main server will only receive and not authenticate on port 25. Your gateway server has no users to authenticate for sasl.

Just a thought, not sure how your setup is. Hope this helps.
Reply With Quote
  #7  
Old 18th June 2008, 03:24
leto leto is offline
Junior Member
 
Join Date: Jun 2008
Location: Essex, UK
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Skype™ to leto
Default It's all about master.cf

Take a look at this site http://dkimproxy.sourceforge.net/pos...und-howto.html, it should help you a lot.

I used it to create a postfix server listening on ports 25 and 587 (submission). Port 25 is unsecured and non-forwarding, port 587 only accepts secured connections.

I needed this mostly for security. Quite a lot of companies block port 25 outgoing from their networks, so a standard has emerged for 587 as the secure smtp port. Hopefully those same companies will realise the need to leave that port open.

Ok, nitty gritty. You need to set up your postfix as normal, and then edit 'master.cf' with some customizations for each port. Here's mine:

Code:
smtp       inet n       -       n       -       -       smtpd -v
submission inet n       -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_reject_unlisted_sender=yes
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
The submission line might already be there. You just need to uncomment it and then add '-o' lines for each configuration settings that you want to override.

I'm sorry if this is a little late, as I only recently stumbled across this thread in my own search for an answer. Since I came across this thread, I presume that other people searching for an answer to this problem will also, so I will reply if not for you, then for the others.

Michael.
__________________
http://www.supersoftcafe.com/
Designer and developer.
Plus some hosting.
Call me.
Reply With Quote
  #8  
Old 18th June 2008, 17:29
rtg20 rtg20 is offline
Junior Member
 
Join Date: Feb 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default didn't work. :-(

Thanks for the reply. Unfortunately, I was unable to get your solution to work - my server still accepted mail for other domains on port 25.

Maybe the solution is to simply disable authentication on port 25..?

Here's my master.cf:

===
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache

587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

===

I think I could improve this dumping the 587 line at the end and putting those options on the submission line (I didn't know that submission was 587 when I set this up!) and also making the smtp and submission lines chrooted. However, I am still uncertain how to solve my problem.

swindmill, did you get it to work...?

Thanks,

Richard
Reply With Quote
  #9  
Old 18th June 2008, 23:55
leto leto is offline
Junior Member
 
Join Date: Jun 2008
Location: Essex, UK
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Skype™ to leto
Default

Here is my main.cf as well. I think I can identify more specifically what you need.

Code:
myhostname = ws1.node.example.com
mydomain = node.example.com
mynetworks = 127.0.0.1/32
mydestination = ws1.node.example.com localhost
inet_interfaces = ws1.node.example.com 127.0.0.1
virtual_alias_maps = hash:/vhosts/etc/postfix/virtual_alias_maps
virtual_gid_maps = hash:/vhosts/etc/postfix/virtual_gid_maps
virtual_uid_maps = hash:/vhosts/etc/postfix/virtual_uid_maps
virtual_mailbox_domains = hash:/vhosts/etc/postfix/virtual_mailbox_domains
virtual_mailbox_maps = hash:/vhosts/etc/postfix/virtual_mailbox_maps
virtual_mailbox_base = /vhosts/maildirs
smtpd_sender_login_maps = hash:/vhosts/etc/postfix/smtpd_sender_login_maps


smtpd_helo_required = yes

smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unauth_destination, reject_unknown_hostname, reject_unknown_sender_domain, reject_unknown_client, permit_auth_destination, check_policy_service unix:postgrey/socket, reject_rbl_client xbl.spamhaus.org, reject
And again for completeness, the relevant part of master.cf.

Code:
submission inet n       -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_reject_unlisted_sender=yes
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
Whether you are running virtual mailboxes or local, the key here is the line 'smtpd_recipient_restrictions'. There are lots of directives like that in postfix, and lots of advice you can read about which ones to use, but for a start stick to just this one. Learn about the rest later here http://www.postfix.org/SMTPD_ACCESS_README.html.

You can see that in main.cf I have 'smtpd_recipient_restrictions' set with things like 'reject_*' to reject messages that fail various checks, and I have 'permit_auth_destination' which allows locally delivered mail. Everything else is rejected. This is the baseline, nothing but locally deliverable mail.

Now we move on to 'master.cf'. Once you have your 'main.cf' right you could almost copy what I have (at your risk obviously). But again here the key is 'smtpd_recipient_restrictions', which is set to 'permit_mynetworks' so that local senders can forward mail (you may not want this), but more importantly 'permit_sasl_authenticated', which allows authenticated users. All other email is rejected. This overrides the setting in main.cf.

All in, this means that the standard SMTP service on port 25 will use the default setting of local delivery only, and the SMTP service on the submission port 587 will override the setting to only allow authenticated senders.

I hope this helps...
__________________
http://www.supersoftcafe.com/
Designer and developer.
Plus some hosting.
Call me.
Reply With Quote
  #10  
Old 20th June 2008, 06:35
rtg20 rtg20 is offline
Junior Member
 
Join Date: Feb 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Thanks for the reply, it didn't work - didn't accept mail on 587; I didn't test the behaviour on 25.

I tried only changing main.cf (by adding the last two lines of your main.cf) and although the server responded on 587 it refused to accept the mail (relay access prohibited or something like that).

Fortunately I kept backups of my old config, and I think I managed to get it to work by changing master.cf thus

smtp inet n - - - - smtpd
-o smtpd_enforce_tls=no -o smtpd_sasl_auth_enable=no

(I added the options on the second line; compare with my previous post - no options were present before)

I have sent myself a bunch of test mails, including from hotmail.com - they all got through. any comments...?

thanks,

Richard
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36
Postfix smtp port connect not working! help! im almost crying now. raistie Server Operation 3 17th October 2006 17:49
postfix smtp sasl auth problem hammer Installation/Configuration 1 13th July 2006 18:19
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40


All times are GMT +2. The time now is 03:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.