Loading ...
Sorry, an error occurred while loading the content.

SMTP authentication

Expand Messages
  • Francois
    Hi All, Is there anyone who can assist me in setting up SMTP authentication on postfix, so that clients not on the local LAN can send mail through this server
    Message 1 of 14 , Sep 10, 2007
    • 0 Attachment
      Message
      Hi All,
       
      Is there anyone who can assist me in setting up SMTP authentication on postfix, so that clients not on the local LAN can send mail through this server using a username and password.
      I have been struggling with this for some time now.
      My setup is as follows:
      Mandriva 2007
      Postfix - POP3
      I have installed cyrus-SASL, but when I add
      smtpd_sasl_auth_enable = yes
      to main.cf, postfix seems to hang as I no longer can telnet to port 25.
       
      Any help would be appreciated
       
    • mouss
      ... this suggests a problem with cyrus sasl. run saslfinger and post its output here. also post relevant log lines. I find dovecot sasl a lot easier to setup.
      Message 2 of 14 , Sep 10, 2007
      • 0 Attachment
        Francois wrote:
        > Hi All,
        >
        > Is there anyone who can assist me in setting up SMTP authentication on
        > postfix, so that clients not on the local LAN can send mail through this
        > server using a username and password.
        > I have been struggling with this for some time now.
        > My setup is as follows:
        > Mandriva 2007
        > Postfix - POP3
        > I have installed cyrus-SASL, but when I add
        > smtpd_sasl_auth_enable = yes
        > to main.cf, postfix seems to hang as I no longer can telnet to port 25.
        >
        > Any help would be appreciated
        >

        this suggests a problem with cyrus sasl. run saslfinger and post its
        output here. also post relevant log lines.

        I find dovecot sasl a lot easier to setup. if using a recent postfix,
        you may consider this.
      • Skeeve Stevens
        You got a howto for doing SMTP Auth with Dovecot and Postfix please? ... From: owner-postfix-users@postfix.org [mailto:owner-postfix-users@postfix.org] On
        Message 3 of 14 , Sep 10, 2007
        • 0 Attachment
          You got a 'howto' for doing SMTP Auth with Dovecot and Postfix please?

          ...Skeeve

          -----Original Message-----
          From: owner-postfix-users@...
          [mailto:owner-postfix-users@...] On Behalf Of mouss
          Sent: Tuesday, 11 September 2007 12:33 AM
          Cc: postfix-users@...
          Subject: Re: SMTP authentication

          Francois wrote:
          > Hi All,
          >
          > Is there anyone who can assist me in setting up SMTP authentication on
          > postfix, so that clients not on the local LAN can send mail through this
          > server using a username and password.
          > I have been struggling with this for some time now.
          > My setup is as follows:
          > Mandriva 2007
          > Postfix - POP3
          > I have installed cyrus-SASL, but when I add
          > smtpd_sasl_auth_enable = yes
          > to main.cf, postfix seems to hang as I no longer can telnet to port 25.
          >
          > Any help would be appreciated
          >

          this suggests a problem with cyrus sasl. run saslfinger and post its
          output here. also post relevant log lines.

          I find dovecot sasl a lot easier to setup. if using a recent postfix,
          you may consider this.
        • postfix
          at this site we use postfix with sasl for the same purpose as you intend to use sasl. in /etc/postfix/main.cf smtpd_sasl_auth_enable = yes
          Message 4 of 14 , Sep 10, 2007
          • 0 Attachment
            at this site we use postfix with sasl for the same purpose as you intend
            to use sasl.

            in /etc/postfix/main.cf

            smtpd_sasl_auth_enable = yes
            smtpd_sasl_local_domain = postfix

            and then distribute the permit_sasl_authenticated attribute to your
            convenience (in main.cf)

            do not forget to tell postfix how to access sasl:

            at this site the corresponding file is in
            /usr/lib/sasl2/smtpd.conf

            and looks like:

            pwcheck_method: auxprop
            mech_list: digest-md5 cram-md5 plain login


            telling postfix (1st line) which plugin to use to access sasl (set to
            your convenience)
            and in the 2nd line which sasl mechanisms to expect (dito).


            install sasl, and define the necessary users and corresponding
            passwords. at this site, they are defined in /etc/sasldb2, the access to
            that database is granted by the auxprop plugin.

            suomi

            Francois wrote:
            > Hi All,
            >
            > Is there anyone who can assist me in setting up SMTP authentication on
            > postfix, so that clients not on the local LAN can send mail through
            > this server using a username and password.
            > I have been struggling with this for some time now.
            > My setup is as follows:
            > Mandriva 2007
            > Postfix - POP3
            > I have installed cyrus-SASL, but when I add
            > smtpd_sasl_auth_enable = yes
            > to main.cf, postfix seems to hang as I no longer can telnet to port 25.
            >
            > Any help would be appreciated
            >
          • mouss
            ... - see the SASL README on postfix site, and - visit dovecot wiki. while there are not a lot of docs (yet?), there are less traps than with cyrus sasl.
            Message 5 of 14 , Sep 10, 2007
            • 0 Attachment
              Skeeve Stevens wrote:
              > You got a 'howto' for doing SMTP Auth with Dovecot and Postfix please?

              - see the SASL README on postfix site, and
              - visit dovecot wiki. while there are not a lot of docs (yet?), there
              are less traps than with cyrus sasl.
            • Francois
              ... Sorry here is the output of saslfinger with smtpd_sasl_auth_enable = yes in main.cf saslfinger - postfix Cyrus sasl configuration Mon Sep 10 18:01:20 UTC
              Message 6 of 14 , Sep 10, 2007
              • 0 Attachment
                > -----Original Message-----
                > From: owner-postfix-users@...
                > [mailto:owner-postfix-users@...] On Behalf Of mouss
                > Sent: 10 September 2007 16:33
                > Cc: postfix-users@...
                > Subject: Re: SMTP authentication
                >
                >
                > Francois wrote:
                > > Hi All,
                > >
                > > Is there anyone who can assist me in setting up SMTP
                > authentication on
                > > postfix, so that clients not on the local LAN can send mail
                > through this
                > > server using a username and password.
                > > I have been struggling with this for some time now.
                > > My setup is as follows:
                > > Mandriva 2007
                > > Postfix - POP3
                > > I have installed cyrus-SASL, but when I add
                > > smtpd_sasl_auth_enable = yes
                > > to main.cf, postfix seems to hang as I no longer can telnet
                > to port 25.
                > >
                > > Any help would be appreciated
                > >
                >
                > this suggests a problem with cyrus sasl. run saslfinger and post its
                > output here. also post relevant log lines.
                >
                > I find dovecot sasl a lot easier to setup. if using a recent postfix,
                > you may consider this.
                >

                Sorry here is the output of saslfinger with smtpd_sasl_auth_enable = yes
                in main.cf

                saslfinger - postfix Cyrus sasl configuration Mon Sep 10 18:01:20 UTC
                2007
                version: 1.0.2
                mode: server-side SMTP AUTH

                -- basics --
                Postfix: 2.3.3
                System: Mandriva Linux release 2007.0 (Official) for i586

                -- smtpd is linked to --
                libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f46000)

                -- active SMTP AUTH and TLS parameters for smtpd --
                smtpd_sasl_auth_enable = yes


                -- listing of /usr/lib/sasl2 --
                total 9
                drwxr-xr-x 2 root root 1024 Aug 30 2006 .
                drwxr-xr-x 33 root root 8192 Aug 15 13:47 ..

                -- listing of /var/lib/sasl2 --
                total 3
                drwxr-xr-x 2 root root 1024 Sep 1 03:01 .
                drwxr-xr-x 16 root root 1024 Sep 1 00:31 ..
                srwxrwxrwx 2 root root 0 Sep 1 03:01 mux
                -rw------- 1 root root 0 Sep 1 03:01 mux.accept
                -rw------- 1 root root 5 Sep 1 03:01 saslauthd.pid

                -- listing of /etc/sasl2 --
                total 6
                drwxr-xr-x 2 root root 1024 Sep 2 22:35 .
                drwxr-xr-x 54 root root 3072 Sep 10 17:50 ..
                -rw-r--r-- 1 root root 977 Aug 30 2006 service.conf.example
                -rw-r--r-- 1 root root 627 Sep 2 22:35 smtpd.conf




                -- content of /etc/sasl2/smtpd.conf --
                # SASL library configuration file for postfix
                # all parameters are documented into:
                # /usr/share/doc/cyrus-sasl-2.*/options.html

                # The mech_list parameters list the sasl mechanisms to use,
                # default being all mechs found.
                #mech_list: plain login

                # To authenticate using the separate saslauthd daemon, (e.g. for #
                system or ldap users). Also see /etc/sysconfig/saslauthd.
                #pwcheck_method: saslauthd
                pwcheck_method: pwcheck
                #saslauthd_path: /var/lib/sasl2/mux

                # To authenticate against users stored in sasldb.
                #pwcheck_method: auxprop
                #auxprop_plugin: sasldb
                #sasldb_path: /var/lib/sasl2/sasl.db



                -- active services in /etc/postfix/master.cf --
                # service type private unpriv chroot wakeup maxproc command + args
                # (yes) (yes) (yes) (never) (100)
                smtp inet n - y - - smtpd
                pickup fifo n - y 60 1 pickup
                -o content_filter=
                -o receive_override_options=
                cleanup unix n - y - 0 cleanup
                qmgr fifo n - y 300 1 qmgr
                tlsmgr unix - - y 1000? 1 tlsmgr
                rewrite unix - - y - - trivial-rewrite
                bounce unix - - y - 0 bounce
                defer unix - - y - 0 bounce
                trace unix - - y - 0 bounce
                verify unix - - y - 1 verify
                flush unix n - y 1000? 0 flush
                proxymap unix - - n - - proxymap
                smtp unix - - y - - smtp
                relay unix - - y - - smtp
                -o fallback_relay=
                showq unix n - y - - showq
                error unix - - y - - error
                discard unix - - y - - discard
                local unix - n n - - local
                virtual unix - n n - - virtual
                lmtp unix - - y - - lmtp
                anvil unix - - y - 1 anvil
                scache unix - - y - 1 scache
                maildrop unix - n n - - pipe
                flags=DRhu user=nobody argv=/usr/bin/maildrop -d ${recipient}
                cyrus-deliver unix - n n - - pipe
                user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
                ${extension} ${user}
                cyrus unix - n n - - lmtp
                -o lmtp_cache_connection=yes
                cyrus-chroot unix - - y - - lmtp
                -o lmtp_cache_connection=yes
                cyrus-inet unix - - y - - lmtp
                -o lmtp_cache_connection=yes
                -o lmtp_sasl_auth_enable=yes
                -o lmtp_sasl_password_maps=hash:/etc/postfix/cyrus_lmtp_sasl_pass
                -o lmtp_sasl_security_options=noanonymous
                uucp unix - n n - - pipe
                flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
                ($recipient)


                127.0.0.1:10026 inet n - y - - smtpd
                -o content_filter=
                -o smtpd_restriction_classes=
                -o smtpd_client_restrictions=permit_mynetworks,reject
                -o smtpd_helo_restrictions=
                -o smtpd_sender_restrictions=
                -o smtpd_delay_reject=no
                -o smtpd_recipient_restrictions=permit_mynetworks,reject
                -o mynetworks=127.0.0.0/8
                -o smtpd_authorized_xforward_hosts=127.0.0.0/8
                -o strict_rfc821_envelopes=yes
                -o smtpd_error_sleep_time=0
                -o smtpd_soft_error_limit=1001
                -o smtpd_hard_error_limit=1000
                -o
                receive_override_options=no_unknown_recipient_checks,no_header_body_chec
                ks

                lmtp-filter unix - - y - - lmtp
                -o lmtp_data_done_timeout=1200
                -o lmtp_send_xforward_command=yes
                -o lmtp_cache_connection=no
                -o max_use=20

                smtp-filter unix - - y - - smtp
                -o smtp_data_done_timeout=1200
                -o smtp_send_xforward_command=yes
                -o max_use=20

                -- mechanisms on localhost --

                -- end of saslfinger output --
              • Andreas Winkelmann
                ... Looks a little bit empty. Check if you have installed needed Cyrus-SASL Packages for Mechanisms and maybe sasldb. ... This is invalid for sasl2. Use
                Message 7 of 14 , Sep 10, 2007
                • 0 Attachment
                  On Monday 10 September 2007 19:03, Francois wrote:

                  > > > Is there anyone who can assist me in setting up SMTP
                  > >
                  > > authentication on
                  > >
                  > > > postfix, so that clients not on the local LAN can send mail
                  > >
                  > > through this
                  > >
                  > > > server using a username and password.
                  > > > I have been struggling with this for some time now.
                  > > > My setup is as follows:
                  > > > Mandriva 2007
                  > > > Postfix - POP3
                  > > > I have installed cyrus-SASL, but when I add
                  > > > smtpd_sasl_auth_enable = yes
                  > > > to main.cf, postfix seems to hang as I no longer can telnet
                  > >
                  > > to port 25.
                  > >
                  > > > Any help would be appreciated
                  > >
                  > > this suggests a problem with cyrus sasl. run saslfinger and post its
                  > > output here. also post relevant log lines.
                  > >
                  > > I find dovecot sasl a lot easier to setup. if using a recent postfix,
                  > > you may consider this.
                  >
                  > Sorry here is the output of saslfinger with smtpd_sasl_auth_enable = yes
                  > in main.cf
                  >
                  > saslfinger - postfix Cyrus sasl configuration Mon Sep 10 18:01:20 UTC
                  > 2007
                  > version: 1.0.2
                  > mode: server-side SMTP AUTH
                  >
                  > -- basics --
                  > Postfix: 2.3.3
                  > System: Mandriva Linux release 2007.0 (Official) for i586
                  >
                  > -- smtpd is linked to --
                  > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f46000)
                  >
                  > -- active SMTP AUTH and TLS parameters for smtpd --
                  > smtpd_sasl_auth_enable = yes
                  >
                  >
                  > -- listing of /usr/lib/sasl2 --
                  > total 9
                  > drwxr-xr-x 2 root root 1024 Aug 30 2006 .
                  > drwxr-xr-x 33 root root 8192 Aug 15 13:47 ..

                  Looks a little bit empty. Check if you have installed needed Cyrus-SASL
                  Packages for Mechanisms and maybe sasldb.

                  > -- listing of /var/lib/sasl2 --
                  > total 3
                  > drwxr-xr-x 2 root root 1024 Sep 1 03:01 .
                  > drwxr-xr-x 16 root root 1024 Sep 1 00:31 ..
                  > srwxrwxrwx 2 root root 0 Sep 1 03:01 mux
                  > -rw------- 1 root root 0 Sep 1 03:01 mux.accept
                  > -rw------- 1 root root 5 Sep 1 03:01 saslauthd.pid
                  >
                  > -- listing of /etc/sasl2 --
                  > total 6
                  > drwxr-xr-x 2 root root 1024 Sep 2 22:35 .
                  > drwxr-xr-x 54 root root 3072 Sep 10 17:50 ..
                  > -rw-r--r-- 1 root root 977 Aug 30 2006 service.conf.example
                  > -rw-r--r-- 1 root root 627 Sep 2 22:35 smtpd.conf
                  >
                  >
                  > -- content of /etc/sasl2/smtpd.conf --
                  > # SASL library configuration file for postfix
                  > # all parameters are documented into:
                  > # /usr/share/doc/cyrus-sasl-2.*/options.html
                  >
                  > # The mech_list parameters list the sasl mechanisms to use,
                  > # default being all mechs found.
                  > #mech_list: plain login
                  >
                  > # To authenticate using the separate saslauthd daemon, (e.g. for #
                  > system or ldap users). Also see /etc/sysconfig/saslauthd.
                  > #pwcheck_method: saslauthd
                  > pwcheck_method: pwcheck

                  This is invalid for sasl2. Use saslauthd instead. If you want to use
                  saslauthd, check the smtpd_sasl_security_options.

                  > #saslauthd_path: /var/lib/sasl2/mux
                  >
                  > # To authenticate against users stored in sasldb.
                  > #pwcheck_method: auxprop
                  > #auxprop_plugin: sasldb
                  > #sasldb_path: /var/lib/sasl2/sasl.db



                  > -- active services in /etc/postfix/master.cf --
                  > # service type private unpriv chroot wakeup maxproc command + args
                  > # (yes) (yes) (yes) (never) (100)
                  > smtp inet n - y - - smtpd

                  Keep in mind smtpd is in a chroot. So you have to move the Socket to saslauthd
                  to the chroot.

                  > pickup fifo n - y 60 1 pickup
                  > -o content_filter=
                  > -o receive_override_options=
                  > cleanup unix n - y - 0 cleanup
                  > qmgr fifo n - y 300 1 qmgr
                  > tlsmgr unix - - y 1000? 1 tlsmgr
                  > rewrite unix - - y - - trivial-rewrite
                  > bounce unix - - y - 0 bounce
                  > defer unix - - y - 0 bounce
                  > trace unix - - y - 0 bounce
                  > verify unix - - y - 1 verify
                  > flush unix n - y 1000? 0 flush
                  > proxymap unix - - n - - proxymap
                  > smtp unix - - y - - smtp
                  > relay unix - - y - - smtp
                  > -o fallback_relay=
                  > showq unix n - y - - showq
                  > error unix - - y - - error
                  > discard unix - - y - - discard
                  > local unix - n n - - local
                  > virtual unix - n n - - virtual
                  > lmtp unix - - y - - lmtp
                  > anvil unix - - y - 1 anvil
                  > scache unix - - y - 1 scache
                  > maildrop unix - n n - - pipe
                  > flags=DRhu user=nobody argv=/usr/bin/maildrop -d ${recipient}
                  > cyrus-deliver unix - n n - - pipe
                  > user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
                  > ${extension} ${user}
                  > cyrus unix - n n - - lmtp
                  > -o lmtp_cache_connection=yes
                  > cyrus-chroot unix - - y - - lmtp
                  > -o lmtp_cache_connection=yes
                  > cyrus-inet unix - - y - - lmtp
                  > -o lmtp_cache_connection=yes
                  > -o lmtp_sasl_auth_enable=yes
                  > -o lmtp_sasl_password_maps=hash:/etc/postfix/cyrus_lmtp_sasl_pass
                  > -o lmtp_sasl_security_options=noanonymous
                  > uucp unix - n n - - pipe
                  > flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
                  > ($recipient)
                  >
                  >
                  > 127.0.0.1:10026 inet n - y - - smtpd
                  > -o content_filter=
                  > -o smtpd_restriction_classes=
                  > -o smtpd_client_restrictions=permit_mynetworks,reject
                  > -o smtpd_helo_restrictions=
                  > -o smtpd_sender_restrictions=
                  > -o smtpd_delay_reject=no
                  > -o smtpd_recipient_restrictions=permit_mynetworks,reject
                  > -o mynetworks=127.0.0.0/8
                  > -o smtpd_authorized_xforward_hosts=127.0.0.0/8
                  > -o strict_rfc821_envelopes=yes
                  > -o smtpd_error_sleep_time=0
                  > -o smtpd_soft_error_limit=1001
                  > -o smtpd_hard_error_limit=1000
                  > -o
                  > receive_override_options=no_unknown_recipient_checks,no_header_body_chec
                  > ks
                  >
                  > lmtp-filter unix - - y - - lmtp
                  > -o lmtp_data_done_timeout=1200
                  > -o lmtp_send_xforward_command=yes
                  > -o lmtp_cache_connection=no
                  > -o max_use=20
                  >
                  > smtp-filter unix - - y - - smtp
                  > -o smtp_data_done_timeout=1200
                  > -o smtp_send_xforward_command=yes
                  > -o max_use=20
                  >
                  > -- mechanisms on localhost --
                  >
                  > -- end of saslfinger output --

                  --
                  Andreas
                • Matteo Marescotti
                  Hello, I have a question for you about authentication on port 587. At the moment, my mailserver is configured as follows: main.cf: ... smtpd_use_tls=yes
                  Message 8 of 14 , Mar 19, 2013
                  • 0 Attachment
                    Hello,
                    I have a question for you about authentication on port 587. At the
                    moment, my mailserver is configured as follows:

                    main.cf:
                    ...
                    smtpd_use_tls=yes
                    smtpd_tls_auth_only = yes
                    smtpd_sasl_auth_enable = yes
                    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
                    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
                    ...


                    master.cf:
                    ...
                    smtp inet n - - - - smtpd
                    -o smtpd_tls_security_level=may
                    submission inet n - - - - smtpd
                    -o smtpd_tls_security_level=encrypt
                    -o smtpd_sasl_auth_enable=yes
                    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                    -o milter_macro_daemon_name=ORIGINATING
                    ...

                    With this configuration, messages can only be submitted through port 587
                    after an encrypted connection has been established and user authentication
                    has succeded. So users need to authenticate themselves in
                    order to send emails. Nevertheless, Postfix accepts the MAIL FROM
                    command before authentication.

                    Is there a different configuration such that postfix requires
                    authentication before any MAIL FROM command can be accepted by the mail
                    server?

                    Thank you very much for your attention.

                    Best regards,
                    Matteo Marescotti
                  • Noel Jones
                    ... It is not currently possible to prevent the client from sending a MAIL FROM command (nor any other command) before they authenticate. -- Noel Jones
                    Message 9 of 14 , Mar 19, 2013
                    • 0 Attachment
                      On 3/19/2013 9:18 AM, Matteo Marescotti wrote:
                      > Hello,
                      > I have a question for you about authentication on port 587. At the
                      > moment, my mailserver is configured as follows:
                      >
                      > main.cf:
                      > ...
                      > smtpd_use_tls=yes
                      > smtpd_tls_auth_only = yes
                      > smtpd_sasl_auth_enable = yes
                      > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
                      > smtpd_recipient_restrictions = permit_mynetworks,
                      > permit_sasl_authenticated, reject_unauth_destination
                      > ...
                      >
                      >
                      > master.cf:
                      > ...
                      > smtp inet n - - - - smtpd
                      > -o smtpd_tls_security_level=may
                      > submission inet n - - - - smtpd
                      > -o smtpd_tls_security_level=encrypt
                      > -o smtpd_sasl_auth_enable=yes
                      > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                      > -o milter_macro_daemon_name=ORIGINATING
                      > ...
                      >
                      > With this configuration, messages can only be submitted through port
                      > 587 after an encrypted connection has been established and user
                      > authentication has succeded. So users need to authenticate
                      > themselves in order to send emails. Nevertheless, Postfix accepts
                      > the MAIL FROM command before authentication.
                      >
                      > Is there a different configuration such that postfix requires
                      > authentication before any MAIL FROM command can be accepted by the
                      > mail server?
                      >

                      It is not currently possible to prevent the client from sending a
                      MAIL FROM command (nor any other command) before they authenticate.



                      -- Noel Jones
                    • Viktor Dukhovni
                      ... With smtpd_tls_security_level=encrypt only EHLO, NOOP and QUIT are allowed before STARTTLS. The other commands will be rejected, but of course we can t
                      Message 10 of 14 , Mar 19, 2013
                      • 0 Attachment
                        On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:

                        > submission inet n - - - - smtpd
                        > -o smtpd_tls_security_level=encrypt
                        > -o smtpd_sasl_auth_enable=yes
                        > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                        > -o milter_macro_daemon_name=ORIGINATING
                        > ...

                        With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
                        are allowed before STARTTLS. The other commands will be rejected,
                        but of course we can't prevent the client from sending them.

                        > With this configuration, messages can only be submitted through port
                        > 587 after an encrypted connection has been established and user
                        > authentication has succeded. So users need to authenticate
                        > themselves in order to send emails. Nevertheless, Postfix accepts
                        > the MAIL FROM command before authentication.

                        Show real evidence of this, after making sure your master.cf file
                        reflects run-time reality (postfix stop/start or at least reload).

                        --
                        Viktor.
                      • Matteo Marescotti
                        ... I said Postfix accepts the MAIL FROM command before user authentication, not before STARTTLS. ... Of course master.cf reflects run-time reality. Follows
                        Message 11 of 14 , Mar 19, 2013
                        • 0 Attachment
                          Il 19/03/2013 17:41, Viktor Dukhovni wrote:
                          > On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
                          >
                          >> submission inet n - - - - smtpd
                          >> -o smtpd_tls_security_level=encrypt
                          >> -o smtpd_sasl_auth_enable=yes
                          >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                          >> -o milter_macro_daemon_name=ORIGINATING
                          >> ...
                          > With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
                          > are allowed before STARTTLS. The other commands will be rejected,
                          > but of course we can't prevent the client from sending them.
                          I said Postfix accepts the MAIL FROM command before user authentication,
                          not before STARTTLS.
                          >> With this configuration, messages can only be submitted through port
                          >> 587 after an encrypted connection has been established and user
                          >> authentication has succeded. So users need to authenticate
                          >> themselves in order to send emails. Nevertheless, Postfix accepts
                          >> the MAIL FROM command before authentication.
                          > Show real evidence of this, after making sure your master.cf file
                          > reflects run-time reality (postfix stop/start or at least reload).
                          >
                          Of course master.cf reflects run-time reality. Follows the real evidence
                          which you can reproduce by yourself. If you remove all client
                          restrictions ( -o smtpd_client_restrictions=) from my configuration and
                          issue

                          openssl s_client -connect host:587 -starttls smtp

                          you get

                          250 DSN
                          mail from:<marescot@...>
                          250 2.1.0 Ok
                          rcpt to:<marescot@...>
                          250 2.1.5 Ok
                          data
                          354 End data with <CR><LF>.<CR><LF>
                          Hi, this is a test.
                          .
                          250 2.0.0 Ok: queued as ...

                          and the message is sent.

                          If you keep client restrictions ( -o
                          smtpd_client_restrictions=permit_sasl_authenticated,reject ) and issue
                          the same command as above, you get instead

                          250 DSN
                          mail from:<marescot@...>
                          250 2.1.0 Ok
                          rcpt to:<marescot@...>
                          554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied

                          because user authentication is now required. I simply wondered why the
                          client is rejected after "rcpt to" and not just after "mail from". Maybe
                          there is no configuration which allows for rejecting an unauthenticated
                          client after the first command. I asked because you are certainly more
                          familiar than me with Postfix configuration options. Thank you anyway.

                          Matteo
                        • Reindl Harald
                          ... because it is a really stupid idea to reject too soon and after that missing informations from logfiles which can be helpful if your user calls you for
                          Message 12 of 14 , Mar 19, 2013
                          • 0 Attachment
                            Am 19.03.2013 18:47, schrieb Matteo Marescotti:
                            > 250 DSN
                            > mail from:<marescot@...>
                            > 250 2.1.0 Ok
                            > rcpt to:<marescot@...>
                            > 554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied
                            >
                            > because user authentication is now required. I simply wondered why the client is rejected after "rcpt to" and not
                            > just after "mail from". Maybe there is no configuration which allows for rejecting an unauthenticated client after
                            > the first command. I asked because you are certainly more familiar than me with Postfix configuration options.
                            > Thank you anyway

                            because it is a really stupid idea to reject too soon and
                            after that missing informations from logfiles which can
                            be helpful if your user calls you for support or you
                            want provide the user actively support

                            iPhones as exmaple are here regulary clients losing for
                            whatever reason the auth-settings and try for weeks
                            and months to submit the same message

                            in such cases it is helful provide the user a logentry
                            with MAIL FROM and MAIL TO because he thinks the
                            message was sent
                          • Viktor Dukhovni
                            ... Sorry, I misread your post, I am too focused on TLS lately, yes rejection of transactions is deliberately delayed to RCPT TO, this makes it possible to
                            Message 13 of 14 , Mar 19, 2013
                            • 0 Attachment
                              On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:

                              > Il 19/03/2013 17:41, Viktor Dukhovni wrote:
                              > >On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
                              > >
                              > >>submission inet n - - - - smtpd
                              > >> -o smtpd_tls_security_level=encrypt
                              > >> -o smtpd_sasl_auth_enable=yes
                              > >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                              > >> -o milter_macro_daemon_name=ORIGINATING
                              > >>...
                              > >
                              > >With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
                              > >are allowed before STARTTLS. The other commands will be rejected,
                              > >but of course we can't prevent the client from sending them.

                              > I said Postfix accepts the MAIL FROM command before user
                              > authentication, not before STARTTLS.

                              Sorry, I misread your post, I am too focused on TLS lately, yes
                              rejection of transactions is deliberately delayed to RCPT TO, this
                              makes it possible to later figure out what was being rejected.
                              A good MTA produces a good audit trail.

                              --
                              Viktor.
                            • Matteo Marescotti
                              ... I was sure there was a very good reason for that. Thank you very much to everybody. I learned something I could not figure out by myself. Matteo
                              Message 14 of 14 , Mar 19, 2013
                              • 0 Attachment
                                Il 19/03/2013 19:30, Viktor Dukhovni ha scritto:
                                > On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:
                                >
                                >> Il 19/03/2013 17:41, Viktor Dukhovni wrote:
                                >>> On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
                                >>>
                                >>>> submission inet n - - - - smtpd
                                >>>> -o smtpd_tls_security_level=encrypt
                                >>>> -o smtpd_sasl_auth_enable=yes
                                >>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                                >>>> -o milter_macro_daemon_name=ORIGINATING
                                >>>> ...
                                >>> With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
                                >>> are allowed before STARTTLS. The other commands will be rejected,
                                >>> but of course we can't prevent the client from sending them.
                                >> I said Postfix accepts the MAIL FROM command before user
                                >> authentication, not before STARTTLS.
                                > Sorry, I misread your post, I am too focused on TLS lately, yes
                                > rejection of transactions is deliberately delayed to RCPT TO, this
                                > makes it possible to later figure out what was being rejected.
                                > A good MTA produces a good audit trail.
                                >
                                I was sure there was a very good reason for that. Thank you very much to
                                everybody. I learned something I could not figure out by myself.

                                Matteo
                              Your message has been successfully submitted and would be delivered to recipients shortly.