securing postfix - smtp auth on port 587 only

Discussion in 'Server Operation' started by rtg20, Feb 4, 2008.

  1. rtg20

    rtg20 New Member

    Hi everyone,

    I have postfix running on an Ubuntu system, handling the e-mail for a handful of users. Currently I tell people to send e-mail using SMTP with authentication on port 587 with TLS enabled - which is what I want.

    However the server also accepts mail on port 25 with authentication and no TLS. I want to change this so port 25 is used only for my server to receive mail from elsewhere (other servers). I want my users to be able to send on port 587 with TLS etc. ONLY.

    Please can someone tell me how to do this? I think i need to tweak my master.cf but i'm not sure exactly how. Here it is:

    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    smtp inet n - - - - smtpd
    #submission inet n - - - - smtpd
    # -o smtpd_etrn_restrictions=reject
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #submission inet n - - - - smtpd
    # -o smtpd_etrn_restrictions=reject
    # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    #qmgr fifo n - - 300 1 oqmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - - - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - - - - smtp
    -o fallback_relay=
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - - - - showq
    error unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache

    587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

    (there's some other non-Postfix stuff at the bottom but I don't think that's relevant).

    thanks in advance for the help!

    Richard
     
  2. rtg20

    rtg20 New Member

    Please can someone help me...? *please*...?

    thanks!
     
  3. swindmill

    swindmill New Member

    I am looking to do basically the same thing.

    Anyone know if it is possible to have postfix listen on two ports with independent options?
     
  4. topdog

    topdog New Member HowtoForge Supporter

    Frankly i dont understand why one would want a setup like this, the reason why STARTTLS was invented was for port 25 to be able to receive both normal unencrypted connections and also enable clients to do relaying with SMTP-AUTH with TLS encryption.

    The proper setup for a mail server is run only one port with SMTP auth only advertised if your connection is TLS encrypted. Meaning when you issue a HELO to the server you will not see auth advertised. A EHLO will tell you to STARTTLS to gain access to SMTP-AUTH. Only after STARTTLS do you gain access to SMTP-AUTH
     
  5. swindmill

    swindmill New Member

    I'm personally not as worried about the TLS situation, but moreso just looking to have postfix listen on a port in addition to 25 for smtp traffic but to ONLY allow e-mail to be received on this port if the user has authenticated.

    I use an external spam/virus filtering service and have my server firewalled to only allow incoming port 25 traffic from the service's servers.

    I would like my users to utilize a seperate port, but for this port to not become another means of spam to enter my server.

    I'm not sure whether spammers in the wild are using alternative submission ports?
     
  6. tonton01

    tonton01 New Member

    Not sure if this helps rtg20, but maybe you might want to consider doing a gateway server.

    -Your gateway will only receive on port 25 and checks your main server if the recipient exist before it relays to the main server. No other ports are open for entry for this server.

    -Your users sends through the main server on port 587.

    Now your main server will only receive and not authenticate on port 25. Your gateway server has no users to authenticate for sasl.

    Just a thought, not sure how your setup is. Hope this helps.
     
  7. leto

    leto New Member

    It's all about master.cf

    Take a look at this site http://dkimproxy.sourceforge.net/postfix-outbound-howto.html, it should help you a lot.

    I used it to create a postfix server listening on ports 25 and 587 (submission). Port 25 is unsecured and non-forwarding, port 587 only accepts secured connections.

    I needed this mostly for security. Quite a lot of companies block port 25 outgoing from their networks, so a standard has emerged for 587 as the secure smtp port. Hopefully those same companies will realise the need to leave that port open.

    Ok, nitty gritty. You need to set up your postfix as normal, and then edit 'master.cf' with some customizations for each port. Here's mine:

    Code:
    smtp       inet n       -       n       -       -       smtpd -v
    submission inet n       -       n       -       -       smtpd
            -o smtpd_etrn_restrictions=reject
            -o smtpd_sasl_type=dovecot
            -o smtpd_sasl_path=private/auth
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_reject_unlisted_sender=yes
            -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    The submission line might already be there. You just need to uncomment it and then add '-o' lines for each configuration settings that you want to override.

    I'm sorry if this is a little late, as I only recently stumbled across this thread in my own search for an answer. Since I came across this thread, I presume that other people searching for an answer to this problem will also, so I will reply if not for you, then for the others.

    Michael.
     
  8. rtg20

    rtg20 New Member

    didn't work. :-(

    Thanks for the reply. Unfortunately, I was unable to get your solution to work - my server still accepted mail for other domains on port 25.

    Maybe the solution is to simply disable authentication on port 25..?

    Here's my master.cf:

    ===
    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    smtp inet n - - - - smtpd
    #submission inet n - - - - smtpd
    # -o smtpd_etrn_restrictions=reject
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #submission inet n - - - - smtpd
    # -o smtpd_etrn_restrictions=reject
    # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    #qmgr fifo n - - 300 1 oqmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - - - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - - - - smtp
    -o fallback_relay=
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - - - - showq
    error unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache

    587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

    ===

    I think I could improve this dumping the 587 line at the end and putting those options on the submission line (I didn't know that submission was 587 when I set this up!) and also making the smtp and submission lines chrooted. However, I am still uncertain how to solve my problem.

    swindmill, did you get it to work...?

    Thanks,

    Richard
     
  9. leto

    leto New Member

    Here is my main.cf as well. I think I can identify more specifically what you need.

    Code:
    myhostname = ws1.node.example.com
    mydomain = node.example.com
    mynetworks = 127.0.0.1/32
    mydestination = ws1.node.example.com localhost
    inet_interfaces = ws1.node.example.com 127.0.0.1
    virtual_alias_maps = hash:/vhosts/etc/postfix/virtual_alias_maps
    virtual_gid_maps = hash:/vhosts/etc/postfix/virtual_gid_maps
    virtual_uid_maps = hash:/vhosts/etc/postfix/virtual_uid_maps
    virtual_mailbox_domains = hash:/vhosts/etc/postfix/virtual_mailbox_domains
    virtual_mailbox_maps = hash:/vhosts/etc/postfix/virtual_mailbox_maps
    virtual_mailbox_base = /vhosts/maildirs
    smtpd_sender_login_maps = hash:/vhosts/etc/postfix/smtpd_sender_login_maps
    
    
    smtpd_helo_required = yes
    
    smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unauth_destination, reject_unknown_hostname, reject_unknown_sender_domain, reject_unknown_client, permit_auth_destination, check_policy_service unix:postgrey/socket, reject_rbl_client xbl.spamhaus.org, reject
    
    And again for completeness, the relevant part of master.cf.

    Code:
    submission inet n       -       n       -       -       smtpd
            -o smtpd_etrn_restrictions=reject
            -o smtpd_sasl_type=dovecot
            -o smtpd_sasl_path=private/auth
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_reject_unlisted_sender=yes
            -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    
    Whether you are running virtual mailboxes or local, the key here is the line 'smtpd_recipient_restrictions'. There are lots of directives like that in postfix, and lots of advice you can read about which ones to use, but for a start stick to just this one. Learn about the rest later here http://www.postfix.org/SMTPD_ACCESS_README.html.

    You can see that in main.cf I have 'smtpd_recipient_restrictions' set with things like 'reject_*' to reject messages that fail various checks, and I have 'permit_auth_destination' which allows locally delivered mail. Everything else is rejected. This is the baseline, nothing but locally deliverable mail.

    Now we move on to 'master.cf'. Once you have your 'main.cf' right you could almost copy what I have (at your risk obviously). But again here the key is 'smtpd_recipient_restrictions', which is set to 'permit_mynetworks' so that local senders can forward mail (you may not want this), but more importantly 'permit_sasl_authenticated', which allows authenticated users. All other email is rejected. This overrides the setting in main.cf.

    All in, this means that the standard SMTP service on port 25 will use the default setting of local delivery only, and the SMTP service on the submission port 587 will override the setting to only allow authenticated senders.

    I hope this helps...
     
  10. rtg20

    rtg20 New Member

    Thanks for the reply, it didn't work - didn't accept mail on 587; I didn't test the behaviour on 25.

    I tried only changing main.cf (by adding the last two lines of your main.cf) and although the server responded on 587 it refused to accept the mail (relay access prohibited or something like that).

    Fortunately I kept backups of my old config, and I think I managed to get it to work by changing master.cf thus

    smtp inet n - - - - smtpd
    -o smtpd_enforce_tls=no -o smtpd_sasl_auth_enable=no

    (I added the options on the second line; compare with my previous post - no options were present before)

    I have sent myself a bunch of test mails, including from hotmail.com - they all got through. any comments...?

    thanks,

    Richard
     
  11. rdtech

    rdtech New Member

    rgt20,

    can you post your full main.cf

    I want to setup port 587 for smtp without auth and tls

    I'm having trouble with some people not being able to connect to smtp because ISP is blocking port 25.

    Please help me out.
     
  12. rtg20

    rtg20 New Member

    here you are...

    I'm probably not the best person to ask for help though.

    Why do you want 587 *without* auth and tls...?

    Modern MUAs support that stuff and it is much more secure. Also once your users have got it working then it's no extra work for them to use (compared with no auth or tls).

    Richard

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = hairy.orang-utan.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = hairy.orang-utan.com, localhost.orang-utan.com, , localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    # mailbox_size_limit = 0

    mailbox_size_limit = 209715200

    recipient_delimiter = +
    inet_interfaces = all


    smtpd_sasl_auth_enable = yes


    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    smtpd_sasl_application_name = smtpd
    broken_sasl_auth_clients = yes

    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination


    smtpd_tls_security_level = may

    smtp_use_tls = yes


    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom


    virtual_alias_maps = hash:/etc/postfix/virtual

    virtual_alias_domains = orang-utan.com
    message_size_limit = 104857600


    sender_bcc_maps = hash:/etc/postfix/sender_bcc
    recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

    # reject_unknown_client_hostname = no


    # default_process_limit = 200
    # smtpd_peername_lookup = no
     
  13. rdtech

    rdtech New Member

    rtg20

    I meant the master.cf file but I got everything working now.

    I'm still using auth and tls on port 587.

    I just wanted to test something out but It works well with auth and tls so I'm keeping it.

    Thanks,

    Paul
     

Share This Page