Loading ...
Sorry, an error occurred while loading the content.

master.cf question with SASL

Expand Messages
  • Jake Vickers
    I currently have all my users using the submission port for outgoing mail. They cannot send on port 25 at this time, and according to all of the online tests I
    Message 1 of 3 , Sep 1, 2008
    • 0 Attachment
      I currently have all my users using the submission port for outgoing mail. They cannot send on port 25 at this time, and according to all of the online tests I have tried I am not an open relay or backscatter sprayer.
      My master.cf currently shows:

      smtp      inet  n       -       -       -       -       smtpd
        -o smtpd_use_tls=no
        -o smtpd_sasl_auth_enable=no
        -o content_filter=smtp-amavis:[127.0.0.1]:10024


      If I change smtpd_sasl_auth_enable to yes, it allows some devices (handhelds, Treo, etc.) to send on port 25 if authenticated, but I want to make sure that this does not turn me into a relay or anything before doing so.  I have attempted to relay through it while it's enabled, and they were denied.  I decided to err on the side of caution and check with the experts here before "just doing it" in case there were any pitfalls or gotchas I do not know about.

      Thanks.
    • mouss
      ... good. ... open relay is when you relay mail for strangers . if you relay mail for your users, that s not open relay. relay control is done in
      Message 2 of 3 , Sep 1, 2008
      • 0 Attachment
        Jake Vickers wrote:
        > I currently have all my users using the submission port for outgoing
        > mail.

        good.

        > They cannot send on port 25 at this time, and according to all of
        > the online tests I have tried I am not an open relay or backscatter
        > sprayer.
        > My master.cf currently shows:
        >
        > smtp inet n - - - - smtpd
        > -o smtpd_use_tls=no
        > -o smtpd_sasl_auth_enable=no
        > -o content_filter=smtp-amavis:[127.0.0.1]:10024
        >
        > If I change smtpd_sasl_auth_enable to yes, it allows some devices
        > (handhelds, Treo, etc.) to send on port 25 if authenticated, but I want
        > to make sure that this does not turn me into a relay or anything before
        > doing so. I have attempted to relay through it while it's enabled, and
        > they were denied. I decided to err on the side of caution and check
        > with the experts here before "just doing it" in case there were any
        > pitfalls or gotchas I do not know about.
        >


        open relay is when you relay mail for "strangers". if you relay mail for
        your users, that's not open relay.

        relay control is done in smtpd_recipient_restrictions. a common
        sasl-enabled setup looks like this:

        smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        ...

        so relay is allowed from mynetworks and for authenticated senders. if
        all your users must authenticated, then configure mynetworks to only
        include those servers that need to relay without authentication. For
        example:

        mynetworks = 127.0.0.1

        if you have internal machines that need to relay via port 25 and can't
        (or shouldn't) authenticate, then add them to mynetworks.
      • Jorey Bump
        ... In addition to what mouss said, be sure to allow only secure authentication mechanisms, so that passwords aren t sent in the clear. You indicate this is
        Message 3 of 3 , Sep 1, 2008
        • 0 Attachment
          Jake Vickers wrote, at 09/01/2008 10:08 AM:
          > I currently have all my users using the submission port for outgoing
          > mail. They cannot send on port 25 at this time, and according to all of
          > the online tests I have tried I am not an open relay or backscatter sprayer.
          > My master.cf currently shows:
          >
          > smtp inet n - - - - smtpd
          > -o smtpd_use_tls=no
          > -o smtpd_sasl_auth_enable=no
          > -o content_filter=smtp-amavis:[127.0.0.1]:10024
          >
          > If I change smtpd_sasl_auth_enable to yes, it allows some devices
          > (handhelds, Treo, etc.) to send on port 25 if authenticated, but I want
          > to make sure that this does not turn me into a relay or anything before
          > doing so. I have attempted to relay through it while it's enabled, and
          > they were denied. I decided to err on the side of caution and check
          > with the experts here before "just doing it" in case there were any
          > pitfalls or gotchas I do not know about.

          In addition to what mouss said, be sure to allow only secure
          authentication mechanisms, so that passwords aren't sent in the clear.
          You indicate this is for road warriors, who may not always be on a
          secure network. Ideally, you'll want to encrypt the entire
          communication, if the target devices support it.
        Your message has been successfully submitted and would be delivered to recipients shortly.