Loading ...
Sorry, an error occurred while loading the content.
 

Configure open relay on specific port

Expand Messages
  • Patric Falinder
    Hi, I need to configure Postfix to be an open relay on a specific port, lets say 3326. I already have Postfix configured like a normal mailserver that requires
    Message 1 of 14 , Nov 22, 2012
      Hi,

      I need to configure Postfix to be an open relay on a specific port, lets
      say 3326. I already have Postfix configured like a normal mailserver
      that requires authentication etc. but I need it to not ask for
      authentication on port 3326. How do I do this?

      I know this isn't safe but this port wont be open for the internet, just
      specific IP's that I specify on my router, so I wont be a target for
      spammers.

      I already have port 3325 open just like port 25, I did that by just
      adding this to /etc/services:
      smtp2 3325/tcp

      and in /etc/postfix/master.cf:
      smtp2 inet n - - - - smtpd

      So I can do the same for port 3326 but I don't know how to disable the
      authentication part. How can I do this?

      Thanks,
      -Patric
    • Patric Falinder
      ... It would actually be easier if there s a way to accept hostnames (mail.example.com) directly on the standard ports without authentication. I use
      Message 2 of 14 , Nov 22, 2012
        Patric Falinder skrev 2012-11-22 10:02:
        > Hi,
        >
        > I need to configure Postfix to be an open relay on a specific port,
        > lets say 3326. I already have Postfix configured like a normal
        > mailserver that requires authentication etc. but I need it to not ask
        > for authentication on port 3326. How do I do this?
        >
        > I know this isn't safe but this port wont be open for the internet,
        > just specific IP's that I specify on my router, so I wont be a target
        > for spammers.
        >
        > I already have port 3325 open just like port 25, I did that by just
        > adding this to /etc/services:
        > smtp2 3325/tcp
        >
        > and in /etc/postfix/master.cf:
        > smtp2 inet n - - - - smtpd
        >
        > So I can do the same for port 3326 but I don't know how to disable the
        > authentication part. How can I do this?
        >
        > Thanks,
        > -Patric
        It would actually be easier if there's a way to accept hostnames
        (mail.example.com) directly on the standard ports without
        authentication. I use 'mynetworks' to allow different IP numbers to send
        mail without authenticating but it doesn't support
        domain-names/hostnames. Or maybe there's another way it should be done?
        All I actually need to do is to allow a dyndns-adress to send without
        authentication.
      • Wietse Venema
        ... And why can t the SMTP client be bothered to authenticate? Did you put your printer/scanner on the Internet? Wietse
        Message 3 of 14 , Nov 22, 2012
          Patric Falinder:
          > All I actually need to do is to allow a dyndns-adress to send without
          > authentication.

          And why can't the SMTP client be bothered to authenticate?
          Did you put your printer/scanner on the Internet?

          Wietse
        • Reindl Harald
          ... so why do you not put that specific ip-addresses in mynetworks ?
          Message 4 of 14 , Nov 22, 2012
            Am 22.11.2012 10:02, schrieb Patric Falinder:
            > I need to configure Postfix to be an open relay on a specific port, lets say 3326. I already have Postfix
            > configured like a normal mailserver that requires authentication etc. but I need it to not ask for authentication
            > on port 3326. How do I do this?
            >
            > I know this isn't safe but this port wont be open for the internet, just specific IP's that I specify on my router,
            > so I wont be a target for spammers

            so why do you not put that specific ip-addresses in "mynetworks"?
          • Patric Falinder
            ... Some of our customers business-systems are for some reason programmed so they re not able to authenticate. Now this hasn t been a problem for any of them
            Message 5 of 14 , Nov 22, 2012
              Wietse Venema skrev 2012-11-22 14:53:
              > Patric Falinder:
              >> All I actually need to do is to allow a dyndns-adress to send without
              >> authentication.
              > And why can't the SMTP client be bothered to authenticate?
              > Did you put your printer/scanner on the Internet?
              >
              > Wietse
              Some of our customers "business-systems" are for some reason programmed
              so they're not able to authenticate. Now this hasn't been a problem for
              any of them because they've had a local mailserver (Exchange) where we
              have configured it so it didn't have to authenticate. But now when we
              have migrated all their mail to our servers and shutdown their old one,
              they can't use that anymore and need to use ours.

              We've asked the support for the software why it is like this and they
              pretty much doesn't have an answer, they will probably implement it
              later on hopefully. So it's pretty urgent for them to get this working
              as they have a lot of business crucial emails that need to be delivered.
              Also they have a dynamic IP so I was thinking I could add their
              dyndns-adress to 'mynetworks' but it only takes IP addresses, so I will
              have to manually add their new IP when/if they get a new one and by then
              lots of emails might have been lost due to not being delivered.

              Right now I have added their IP to 'mynetworks' and it's working fine
              for now, but it's not reliable as they have a dynamic IP like I said.
              So either I need to be able to add a hostname/domain instead of an IP to
              be able to send mail without authenticating or have an open relay on a
              non-standard port where I then configure in the router who can access it
              from outside. Or if you guys might have a better solution?

              Thanks,
              -Patric
            • Reindl Harald
              ... so make a different open-relay port is the same problem ... and how does this solve the dynamic IP? ... yes, they have to setup a postfix relay on their
              Message 6 of 14 , Nov 22, 2012
                Am 22.11.2012 15:06, schrieb Patric Falinder:
                > Right now I have added their IP to 'mynetworks' and it's working fine for now,
                > but it's not reliable as they have a dynamic IP like I said

                so make a different open-relay port is the same problem

                > So either I need to be able to add a hostname/domain instead of an IP
                > to be able to send mail without authenticating or have an open relay on a
                > non-standard port where I then configure in the router who can access
                > it from outside

                and how does this solve the dynamic IP?

                > Or if you guys might have a better solution?

                yes, they have to setup a postfix relay on their
                internal network - any other solution in context
                of dynamic IP's is pure crap and dangerous

                relayhost = [your-smtp-server]:587
                smtp_sasl_auth_enable = yes
                smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

                cat /etc/postfix/sasl_passwd
                # CHANGES: postmap /etc/postfix/sasl_passwd
                [your-smtp-server]:587 username:password
              • Wietse Venema
                ... Hostname lookup is not a solution. Due to caching effects there simply is no guarantee that the name will always exist and resolve to the current client
                Message 7 of 14 , Nov 22, 2012
                  Patric Falinder:
                  > All I actually need to do is to allow a dyndns-adress to send without
                  > authentication.

                  Wietse:
                  > And why can't the SMTP client be bothered to authenticate?

                  Patric Falinder:
                  > Some of our customers "business-systems" are for some reason
                  > programmed so they're not able to authenticate. Now this hasn't
                  > been a problem for any of them because they've had a local mailserver
                  > (Exchange) where we have configured it so it didn't have to
                  > authenticate. But now when we have migrated all their mail to our
                  > servers and shutdown their old one, they can't use that anymore
                  > and need to use ours.

                  Hostname lookup is not a solution. Due to caching effects there
                  simply is no guarantee that the name will always exist and resolve
                  to the current client address BEFORE the client connects to you.

                  I deplore the lack of planning that went into this migration; it
                  would have been easy enough to provide an SMTP proxy for off-site
                  locations that authenticates with SASL or TLS certificate. The
                  whole thing could be done in a few lines of Perl or Python.

                  Wietse
                • Patric Falinder
                  ... So it s not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open
                  Message 8 of 14 , Nov 22, 2012
                    Wietse Venema skrev 2012-11-22 15:22:
                    > Patric Falinder:
                    >> All I actually need to do is to allow a dyndns-adress to send without
                    >> authentication.
                    > Wietse:
                    >> And why can't the SMTP client be bothered to authenticate?
                    > Patric Falinder:
                    >> Some of our customers "business-systems" are for some reason
                    >> programmed so they're not able to authenticate. Now this hasn't
                    >> been a problem for any of them because they've had a local mailserver
                    >> (Exchange) where we have configured it so it didn't have to
                    >> authenticate. But now when we have migrated all their mail to our
                    >> servers and shutdown their old one, they can't use that anymore
                    >> and need to use ours.
                    > Hostname lookup is not a solution. Due to caching effects there
                    > simply is no guarantee that the name will always exist and resolve
                    > to the current client address BEFORE the client connects to you.
                    >
                    > I deplore the lack of planning that went into this migration; it
                    > would have been easy enough to provide an SMTP proxy for off-site
                    > locations that authenticates with SASL or TLS certificate. The
                    > whole thing could be done in a few lines of Perl or Python.
                    >
                    > Wietse
                    So it's not possible to have Postfix listening on another port with
                    different settings, like skipping the authentication bit and have it act
                    like an open relay?
                    This is easily done in Exchange and I would guess it's possible in
                    Postfix too, I just don't know how. I know the complications of having
                    it configured this way so I don't need to be told that it's dangerous
                    etc. because I'm aware of the dangers.


                    Thanks,
                    -Patric
                  • Reindl Harald
                    frist: do NOT reply off-list! ... so how the hell does it make a difference? you have to configure SOMETHING in any case the idea of a open-relay for
                    Message 9 of 14 , Nov 22, 2012
                      frist: do NOT reply off-list!

                      Am 22.11.2012 15:56, schrieb Patric Falinder:
                      > Reindl Harald skrev 2012-11-22 15:20:
                      >>
                      >> Am 22.11.2012 15:06, schrieb Patric Falinder:
                      >>> Right now I have added their IP to 'mynetworks' and it's working fine for now,
                      >>> but it's not reliable as they have a dynamic IP like I said
                      >> so make a different open-relay port is the same problem
                      > How so?
                      > If I have an open relay I don't have to specify the IP in
                      > 'mynetworks' and don't have to care to change it if their
                      > IP is updated as I will fix this on the firewall

                      so how the hell does it make a difference?

                      you have to configure SOMETHING in any case
                      the idea of a open-relay for dyn-addresses is crap

                      >> yes, they have to setup a postfix relay on their
                      >> internal network - any other solution in context
                      >> of dynamic IP's is pure crap and dangerous
                      >>
                      >> relayhost = [your-smtp-server]:587
                      >> smtp_sasl_auth_enable = yes
                      >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                      >>
                      >> cat /etc/postfix/sasl_passwd
                      >> # CHANGES: postmap /etc/postfix/sasl_passwd
                      >> [your-smtp-server]:587 username:password
                      >>
                      > Setting up a server just for that is not an option.

                      so kiss the customer goodbye as long he can not
                      provide a solution with a relay or force to
                      use software which is designed to work over WAN

                      > I know the complications of having an open relay but I really
                      > don't see the problem if I specify at a firewall level which IP's
                      > have access to it.

                      with a static IP on the clients side i agree
                      BUT with dynamic IP's this is only a bad joke

                      > So technically it's not an open relay as there's only specified IP's that
                      > has access to it in the end. And the reason I'm going to specify it
                      > on the firewall is because I can specify at hostname-level who's having access
                      > to it from the outside, I can't do that in Postfix

                      from where do you take the hostname?
                      PTR?

                      sorry but this is naive

                      * i control the PTR for my IP's
                      * i can setup whatever PTR i like for whatever of my IP's

                      there is no clean solution
                      force the customer to fix HIS side or kiss him goodbye!
                    • Ralf Hildebrandt
                      ... Well of course: -o smtpd_recipient_restrictions=... -o ... -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz
                      Message 10 of 14 , Nov 22, 2012
                        * Patric Falinder <patric.falinder@...>:

                        > So it's not possible to have Postfix listening on another port with
                        > different settings, like skipping the authentication bit and have it
                        > act like an open relay?

                        Well of course:

                        -o smtpd_recipient_restrictions=...
                        -o ...

                        --
                        [*] sys4 AG

                        http://sys4.de, +49 (89) 30 90 46 64
                        Franziskanerstraße 15, 81669 München

                        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                        Aufsichtsratsvorsitzender: Joerg Heidrich
                      • Patric Falinder
                        ... Thank you! However I had to use: -o smtpd_recipient_restrictions=permit,reject It works but I get this error: warning: restriction `reject after `permit
                        Message 11 of 14 , Nov 22, 2012
                          Ralf Hildebrandt skrev 2012-11-22 16:25:
                          > * Patric Falinder <patric.falinder@...>:
                          >
                          >> So it's not possible to have Postfix listening on another port with
                          >> different settings, like skipping the authentication bit and have it
                          >> act like an open relay?
                          > Well of course:
                          >
                          > -o smtpd_recipient_restrictions=...
                          > -o ...
                          >
                          Thank you! However I had to use:
                          -o smtpd_recipient_restrictions=permit,reject

                          It works but I get this error: warning: restriction `reject' after
                          `permit' is ignored
                          But if I use just permit it wont work at all.
                          Any ideas?

                          Thanks,
                          -Patric
                        • /dev/rob0
                          ... Even if safe, it is far from ideal. ... What is the purpose of this smtpd on 3325? ... (I don t edit services(5). I let IANA handle that. It only gives
                          Message 12 of 14 , Nov 22, 2012
                            On Thu, Nov 22, 2012 at 11:43:51AM +0100, Patric Falinder wrote:
                            > Patric Falinder skrev 2012-11-22 10:02:
                            > >I need to configure Postfix to be an open relay on a specific
                            > >port, lets say 3326. I already have Postfix configured like a
                            > >normal mailserver that requires authentication etc. but I need it
                            > >to not ask for authentication on port 3326. How do I do this?
                            > >
                            > >I know this isn't safe but this port wont be open for the
                            > >internet, just specific IP's that I specify on my router, so I
                            > >wont be a target for spammers.

                            Even if safe, it is far from ideal.

                            > >I already have port 3325 open just like port 25, I did that

                            What is the purpose of this smtpd on 3325?

                            > >by just adding this to /etc/services:
                            > >smtp2 3325/tcp

                            (I don't edit services(5). I let IANA handle that. It only gives
                            resolution of the port by name. You could just as well use the
                            number.)

                            > >and in /etc/postfix/master.cf:
                            > >smtp2 inet n - - - - smtpd
                            > >
                            > >So I can do the same for port 3326 but I don't know how to
                            > >disable the authentication part. How can I do this?

                            > It would actually be easier if there's a way to accept
                            > hostnames (mail.example.com) directly on the standard ports
                            > without authentication.

                            This is doable (check_client_access) but not for you, read on.

                            > I use 'mynetworks' to allow different IP numbers to send mail
                            > without authenticating but it doesn't support domain-names/
                            > hostnames. Or maybe there's another way it should be done?

                            ... And finally, the real goal is stated:

                            > All I actually need to do is to allow a dyndns-adress to send
                            > without authentication.

                            (You really should have started with this.)

                            There are lots of workarounds available to SASL-allergic admins.
                            Mine, years ago, was to set up a site-to-site openvpn(8) tunnel,
                            adding the VPN IP address to mynetworks. This has the additional
                            benefit (FSVO "benefit") of hiding the "real" IP address in the
                            headers. Postfix only sees the VPN IP.

                            check_client_access won't work because it looks up only forward-
                            confirmed reverse DNS names. Your dynamic DNS probably only sets a
                            "forward" name, not the PTR for the IP address.

                            That said, there are a few thousand ways you might manage that, as
                            well. An entry in /etc/hosts(5) for the dynamic address, in most
                            cases, will bypass the PTR lookup. A simple script to edit your
                            /etc/hosts file when the dynamic host changes its address might
                            enable check_client_access.

                            Your script might just as well update a hash: file for mynetworks.

                            And another solution is to reconsider your SASL antipathy. It's
                            well-documented and not that hard to set up.

                            http://www.postfix.org/SOHO_README.html#client_sasl_enable
                            --
                            http://rob0.nodns4.us/ -- system administration and consulting
                            Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                          • Robert Schetterer
                            ... for your dynamic ip problem , what about pop before smtp etc or some port knocking scripting etc, that may give a small piece of security however i dont
                            Message 13 of 14 , Nov 22, 2012
                              Am 22.11.2012 16:32, schrieb Patric Falinder:
                              > Ralf Hildebrandt skrev 2012-11-22 16:25:
                              >> * Patric Falinder <patric.falinder@...>:
                              >>
                              >>> So it's not possible to have Postfix listening on another port with
                              >>> different settings, like skipping the authentication bit and have it
                              >>> act like an open relay?
                              >> Well of course:
                              >>
                              >> -o smtpd_recipient_restrictions=...
                              >> -o ...
                              >>
                              > Thank you! However I had to use:
                              > -o smtpd_recipient_restrictions=permit,reject
                              >
                              > It works but I get this error: warning: restriction `reject' after
                              > `permit' is ignored
                              > But if I use just permit it wont work at all.
                              > Any ideas?
                              >
                              > Thanks,
                              > -Patric

                              for your dynamic ip problem , what about pop before smtp etc or some
                              port knocking scripting etc, that may give a small piece of security

                              however i dont think open relays are a good idea at all
                              someday someone will abuse it

                              Best Regards
                              MfG Robert Schetterer

                              --
                              [*] sys4 AG

                              http://sys4.de, +49 (89) 30 90 46 64
                              Franziskanerstraße 15, 81669 München

                              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                              Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                              Aufsichtsratsvorsitzender: Joerg Heidrich
                            • Wietse Venema
                              ... In the next release, Postfix will require that a reject-like restriction appears BEFORE permit. Wietse
                              Message 14 of 14 , Nov 22, 2012
                                Patric Falinder:
                                > Ralf Hildebrandt skrev 2012-11-22 16:25:
                                > > * Patric Falinder <patric.falinder@...>:
                                > >
                                > >> So it's not possible to have Postfix listening on another port with
                                > >> different settings, like skipping the authentication bit and have it
                                > >> act like an open relay?
                                > > Well of course:
                                > >
                                > > -o smtpd_recipient_restrictions=...
                                > > -o ...
                                > >
                                > Thank you! However I had to use:
                                > -o smtpd_recipient_restrictions=permit,reject

                                In the next release, Postfix will require that a reject-like
                                restriction appears BEFORE permit.

                                Wietse
                              Your message has been successfully submitted and would be delivered to recipients shortly.