Loading ...
Sorry, an error occurred while loading the content.

permit_sasl_authenticated ONLY from one interface

Expand Messages
  • Simone Felici
    Hi to all! I ve tested successfully a simple smtp server with SMTP authenticated. Now I would like do the following: My server has two interfaces with IP1 and
    Message 1 of 11 , Nov 27, 2008
    • 0 Attachment
      Hi to all!

      I've tested successfully a simple smtp server with SMTP authenticated.
      Now I would like do the following:

      My server has two interfaces with IP1 and IP2.
      I would like to setup postfix to permit AUTH-SMTP only for sessions incoming on IP1 and normal SMTP sessions on IP2.
      I've only find how to apply restrictions on sender (ip/domain) but have no idea how to manage different policies depend
      on which smtp-IP is using the client.

      Can someone help me a little or post me a really simple example?

      Thank's

      Simon
    • Wietse Venema
      ... Please explain why you can t use policies for the CLIENT IP address. Wietse
      Message 2 of 11 , Nov 27, 2008
      • 0 Attachment
        Simone Felici:
        > Hi to all!
        >
        > I've tested successfully a simple smtp server with SMTP authenticated.
        > Now I would like do the following:
        >
        > My server has two interfaces with IP1 and IP2.
        > I would like to setup postfix to permit AUTH-SMTP only for sessions incoming on IP1 and normal SMTP sessions on IP2.

        Please explain why you can't use policies for the CLIENT IP address.

        Wietse
      • Simone Felici
        ... Why? Uhm, dunno... It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support it, then it try to
        Message 3 of 11 , Nov 27, 2008
        • 0 Attachment
          Wietse Venema ha scritto:
          > Simone Felici:
          >> Hi to all!
          >>
          >> I've tested successfully a simple smtp server with SMTP authenticated.
          >> Now I would like do the following:
          >>
          >> My server has two interfaces with IP1 and IP2.
          >> I would like to setup postfix to permit AUTH-SMTP only for sessions incoming on IP1 and normal SMTP sessions on IP2.
          >
          > Please explain why you can't use policies for the CLIENT IP address.
          >
          > Wietse
          >

          Why? Uhm, dunno...
          It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support
          it, then it try to send in auth. This return an error, due inappropriate settings of the client. To prevent this i would
          like to set up two ip address on the same server.
          The first ip address should accept only clean smtp sessions, with restrictions allowing smtp only from specific
          client-ip, ranges. This is the actual situation in porduction and all is ok.
          The second ip should accept only sasl auth smtp session. If the authenitcation goes well, the the client can send
          without other check and the client can have every ip he want.
          Due company decisions, out smtp server accept sending messages only if the customer is connected with our network. the
          second ip on the server should introduce the possibility to send (only if authenticated) from any network.
          Is it possible to setup on the same server?
          I've read this (http://www.postfix.org/RESTRICTION_CLASS_README.html) and ok, but have no idea how to choose different
          policies depending on two different IPs (interfaces) of the server.

          Simon
        • postfix@bitfreak.org
          ... What you re looking for is called the submission service. Accepted practice has you split MTA relay and MUA submission onto to separate ports, 25 for
          Message 4 of 11 , Nov 27, 2008
          • 0 Attachment
            Simone Felici wrote:
            > My server has two interfaces with IP1 and IP2. I would like to setup
            > postfix to permit AUTH-SMTP only for sessions incoming on IP1 and
            > normal SMTP sessions on IP2.
            > I've only find how to apply restrictions on sender (ip/domain) but
            > have no idea how to manage different policies depend on which smtp-IP
            > is using the client.

            Simone Felici wrote:
            > The first ip address should accept only clean smtp sessions, with
            > restrictions allowing smtp only from specific client-ip, ranges. This
            > is the actual situation in porduction and all is ok.
            > The second ip should accept only sasl auth smtp session. If the
            > authenitcation goes well, the the client can send without other check
            > and the client can have every ip he want.
            > Due company decisions, out smtp server accept sending messages only
            > if the customer is connected with our network. the second ip on the
            > server should introduce the possibility to send (only if
            > authenticated) from any network.
            > Is it possible to setup on the same server?

            What you're looking for is called the submission service. Accepted
            practice has you split MTA relay and MUA submission onto to separate
            ports, 25 for MTAs, 587 for MUAs. Require TLS+AUTH on port 587, disable
            them[1] on port 25.

            In main.cf:

            smtpd_sasl_auth_enable = no

            In master.cf:

            submission inet n - n - - smtpd
            -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_tls_auth_only=yes
            -o smtpd_tls_security_level=encrypt

            Set the other sasl- and tls-related settings in main.cf.

            If you want to use port 25 on IP1 instead of port 587 on all
            inet_interfaces, remove IP1 from inet_interfaces and change "submission"
            to "IP1:smtp" in the master.cf excerpt above.

            Keep in mind there is a growing number of ISPs which do not permit
            outbound connections to port 25 from their user networks while port 587
            is allowed by everyone except the most idiotic of network admins.

            1: You can make TLS optional if you want opportunistic encryption when
            talking to other MTAs.
          • mouss
            ... if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps ... instead of playing with IPs, just enable the submission service in
            Message 5 of 11 , Nov 27, 2008
            • 0 Attachment
              Simone Felici a écrit :
              > Why? Uhm, dunno...
              > It seems certain mailclients has Autenticated smtp enabled as default
              > and if the client found the smtp server support it, then it try to send
              > in auth. This return an error, due inappropriate settings of the client.

              if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps

              > To prevent this i would like to set up two ip address on the same server.
              > The first ip address should accept only clean smtp sessions, with
              > restrictions allowing smtp only from specific client-ip, ranges. This is
              > the actual situation in porduction and all is ok.
              > The second ip should accept only sasl auth smtp session. If the
              > authenitcation goes well, the the client can send without other check
              > and the client can have every ip he want.
              > Due company decisions, out smtp server accept sending messages only if
              > the customer is connected with our network. the second ip on the server
              > should introduce the possibility to send (only if authenticated) from
              > any network.
              > Is it possible to setup on the same server?
              > I've read this (http://www.postfix.org/RESTRICTION_CLASS_README.html)
              > and ok, but have no idea how to choose different policies depending on
              > two different IPs (interfaces) of the server.
              >

              instead of playing with IPs, just enable the submission service in
              master.cf and get users to configure their MUA to use port 587 when they
              want to authenticate.

              if this isn't what you want/need, copy the submission service and do not
              enable sasl for the "standard" smtpd.


              10.1.2.3:25 inet n - n - - smtpd
              # -o smtpd_tls_security_level=encrypt
              # -o smtpd_sasl_auth_enable=yes
              # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              # -o milter_macro_daemon_name=ORIGINATING
            • Simone Felici
              ... Thank s everyone: Wietse and postfix@bitfreak.org for answers. I ll take a look and test the submission service. :) Simon
              Message 6 of 11 , Nov 30, 2008
              • 0 Attachment
                Simone Felici ha scritto:
                > Hi to all!
                >
                > I've tested successfully a simple smtp server with SMTP authenticated.
                > Now I would like do the following:
                >
                > My server has two interfaces with IP1 and IP2.
                > I would like to setup postfix to permit AUTH-SMTP only for sessions
                > incoming on IP1 and normal SMTP sessions on IP2.
                > I've only find how to apply restrictions on sender (ip/domain) but have
                > no idea how to manage different policies depend
                > on which smtp-IP is using the client.
                >
                > Can someone help me a little or post me a really simple example?
                >
                > Thank's
                >
                > Simon
                >
                >


                Thank's everyone: Wietse and postfix@... for answers.
                I'll take a look and test the "submission" service. :)

                Simon
              • Simone Felici
                ... Mouss, this could be a solution... but haven t find any example or documation to try it. Could you pount me at any example? The initial problem was: I ve
                Message 7 of 11 , Dec 1, 2008
                • 0 Attachment
                  mouss ha scritto:
                  > Simone Felici a écrit :
                  >> Why? Uhm, dunno...
                  >> It seems certain mailclients has Autenticated smtp enabled as default
                  >> and if the client found the smtp server support it, then it try to send
                  >> in auth. This return an error, due inappropriate settings of the client.
                  >
                  > if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps
                  >


                  Mouss,
                  this could be a solution... but haven't find any example or documation to try it.
                  Could you pount me at any example?

                  The initial problem was:
                  I've an SMTP server for customers, with standard smtp open only from a range of IPs.
                  Could I provide normal smtp service for customers of a range of known IP (like now) and open my server to all the world
                  for smtp service but ONLY if autenthicated smtp i sused?

                  Is the MUA with an IP of my customers?
                  YES: It can send without any authentication.
                  NO: It can send ONLY it a user/pass is provided.

                  Simon







                  --
                  Simone Felici E-Mail: s.felici@...
                  Divisione Tecnica Tel: 0461 030 111
                  Alpikom S.p.A. Fax: 0461 030 112
                  v.Fersina, 23 - 38100 Trento URL: http://www.alpikom.it
                • mouss
                  ... make sure to read: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps smtpd_discard_ehlo_keyword_address_maps
                  Message 8 of 11 , Dec 1, 2008
                  • 0 Attachment
                    Simone Felici a écrit :
                    > mouss ha scritto:
                    >> Simone Felici a écrit :
                    >>> Why? Uhm, dunno...
                    >>> It seems certain mailclients has Autenticated smtp enabled as default
                    >>> and if the client found the smtp server support it, then it try to send
                    >>> in auth. This return an error, due inappropriate settings of the client.
                    >>
                    >> if you know their IPs, you can use
                    >> smtpd_discard_ehlo_keyword_address_maps
                    >>
                    >
                    >
                    > Mouss,
                    > this could be a solution... but haven't find any example or documation
                    > to try it.
                    > Could you pount me at any example?

                    make sure to read:

                    http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps



                    smtpd_discard_ehlo_keyword_address_maps
                    hash:/etc/postfix/discard_ehlo

                    == discard_ehlo
                    10.1.2.3 starttls, auth, silent-discard

                    (silent-discard prevents postfix from logging this "keyword discard"
                    action).


                    >
                    > The initial problem was:
                    > I've an SMTP server for customers, with standard smtp open only from a
                    > range of IPs.
                    > Could I provide normal smtp service for customers of a range of known IP
                    > (like now) and open my server to all the world for smtp service but ONLY
                    > if autenthicated smtp i sused?
                    >
                    > Is the MUA with an IP of my customers?
                    > YES: It can send without any authentication.
                    > NO: It can send ONLY it a user/pass is provided.
                    >
                  • Noel Jones
                    ... (discarding starttls may be too much, but OP can decide for himself) I think this is even easier:
                    Message 9 of 11 , Dec 1, 2008
                    • 0 Attachment
                      mouss wrote:
                      > Simone Felici a écrit :
                      >> mouss ha scritto:
                      >>> Simone Felici a écrit :
                      >>>> Why? Uhm, dunno...
                      >>>> It seems certain mailclients has Autenticated smtp enabled as default
                      >>>> and if the client found the smtp server support it, then it try to send
                      >>>> in auth. This return an error, due inappropriate settings of the client.
                      >>> if you know their IPs, you can use
                      >>> smtpd_discard_ehlo_keyword_address_maps
                      >>>
                      >>
                      >> Mouss,
                      >> this could be a solution... but haven't find any example or documation
                      >> to try it.
                      >> Could you pount me at any example?
                      >
                      > make sure to read:
                      >
                      > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
                      >
                      >
                      >
                      > smtpd_discard_ehlo_keyword_address_maps
                      > hash:/etc/postfix/discard_ehlo
                      >
                      > == discard_ehlo
                      > 10.1.2.3 starttls, auth, silent-discard
                      >
                      > (silent-discard prevents postfix from logging this "keyword discard"
                      > action).
                      >
                      >


                      (discarding starttls may be too much, but OP can decide for
                      himself)


                      I think this is even easier:
                      http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks

                      The simplest form of this is:
                      # main.cf
                      smtpd_sasl_exceptions_networks = $mynetworks


                      >> The initial problem was:
                      >> I've an SMTP server for customers, with standard smtp open only from a
                      >> range of IPs.
                      >> Could I provide normal smtp service for customers of a range of known IP
                      >> (like now) and open my server to all the world for smtp service but ONLY
                      >> if autenthicated smtp i sused?
                      >>
                      >> Is the MUA with an IP of my customers?
                      >> YES: It can send without any authentication.
                      >> NO: It can send ONLY it a user/pass is provided.
                      >>
                      >

                      The behavior you describe is the standard settings:

                      smtpd_recipient_restrictions =
                      permit_mynetworks
                      permit_sasl_authenticated
                      reject_unauth_destination
                      ... other restrictions ...

                      You only need to make special arrangements such as mouss and I
                      describe when you don't want to ever offer AUTH to local
                      clients. Offering AUTH to everyone does not present a problem
                      to the vast majority of clients.

                      --
                      Noel Jones
                    • mouss
                      ... yes. I only cited it to show that multiple keywords can be discarded. ... It s unclear whether he actually found misbehaving MUAs or if he is just fearing
                      Message 10 of 11 , Dec 1, 2008
                      • 0 Attachment
                        Noel Jones a écrit :
                        > mouss wrote:
                        >> Simone Felici a écrit :
                        >>> mouss ha scritto:
                        >>>> Simone Felici a écrit :
                        >>>>> Why? Uhm, dunno...
                        >>>>> It seems certain mailclients has Autenticated smtp enabled as default
                        >>>>> and if the client found the smtp server support it, then it try to
                        >>>>> send
                        >>>>> in auth. This return an error, due inappropriate settings of the
                        >>>>> client.
                        >>>> if you know their IPs, you can use
                        >>>> smtpd_discard_ehlo_keyword_address_maps
                        >>>>
                        >>>
                        >>> Mouss,
                        >>> this could be a solution... but haven't find any example or documation
                        >>> to try it.
                        >>> Could you pount me at any example?
                        >>
                        >> make sure to read:
                        >>
                        >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
                        >>
                        >>
                        >>
                        >>
                        >> smtpd_discard_ehlo_keyword_address_maps
                        >> hash:/etc/postfix/discard_ehlo
                        >>
                        >> == discard_ehlo
                        >> 10.1.2.3 starttls, auth, silent-discard
                        >>
                        >> (silent-discard prevents postfix from logging this "keyword discard"
                        >> action).
                        >>
                        >>
                        >
                        >
                        > (discarding starttls may be too much, but OP can decide for himself)
                        >

                        yes. I only cited it to show that multiple keywords can be discarded.

                        >
                        > I think this is even easier:
                        > http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks
                        >
                        > The simplest form of this is:
                        > # main.cf
                        > smtpd_sasl_exceptions_networks = $mynetworks
                        >
                        >
                        >>> The initial problem was:
                        >>> I've an SMTP server for customers, with standard smtp open only from a
                        >>> range of IPs.
                        >>> Could I provide normal smtp service for customers of a range of known IP
                        >>> (like now) and open my server to all the world for smtp service but ONLY
                        >>> if autenthicated smtp i sused?
                        >>>
                        >>> Is the MUA with an IP of my customers?
                        >>> YES: It can send without any authentication.
                        >>> NO: It can send ONLY it a user/pass is provided.
                        >>>
                        >>
                        >
                        > The behavior you describe is the standard settings:
                        >
                        > smtpd_recipient_restrictions =
                        > permit_mynetworks
                        > permit_sasl_authenticated
                        > reject_unauth_destination
                        > ... other restrictions ...
                        >
                        > You only need to make special arrangements such as mouss and I describe
                        > when you don't want to ever offer AUTH to local clients. Offering AUTH
                        > to everyone does not present a problem to the vast majority of clients.
                        >

                        It's unclear whether he actually found misbehaving MUAs or if he is just
                        fearing the unknown ;-p
                      • Simone Felici
                        ... Both are good solutions, I ll try these! Thank s a lot!!! Simon
                        Message 11 of 11 , Dec 1, 2008
                        • 0 Attachment
                          Noel Jones ha scritto:
                          > mouss wrote:

                          >>> Mouss,
                          >>> this could be a solution... but haven't find any example or documation
                          >>> to try it.
                          >>> Could you pount me at any example?
                          >>
                          >> make sure to read:
                          >>
                          >> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
                          >>
                          >>
                          >>
                          >>
                          >> smtpd_discard_ehlo_keyword_address_maps
                          >> hash:/etc/postfix/discard_ehlo
                          >>
                          >> == discard_ehlo
                          >> 10.1.2.3 starttls, auth, silent-discard
                          >>
                          >> (silent-discard prevents postfix from logging this "keyword discard"
                          >> action).
                          >>
                          >>

                          Both are good solutions, I'll try these!

                          Thank's a lot!!!

                          Simon
                        Your message has been successfully submitted and would be delivered to recipients shortly.