Loading ...
Sorry, an error occurred while loading the content.
 

Re: Configure open relay on specific port

Expand Messages
  • Wietse Venema
    ... And why can t the SMTP client be bothered to authenticate? Did you put your printer/scanner on the Internet? Wietse
    Message 1 of 14 , Nov 22, 2012
      Patric Falinder:
      > All I actually need to do is to allow a dyndns-adress to send without
      > authentication.

      And why can't the SMTP client be bothered to authenticate?
      Did you put your printer/scanner on the Internet?

      Wietse
    • Reindl Harald
      ... so why do you not put that specific ip-addresses in mynetworks ?
      Message 2 of 14 , Nov 22, 2012
        Am 22.11.2012 10:02, schrieb Patric Falinder:
        > I need to configure Postfix to be an open relay on a specific port, lets say 3326. I already have Postfix
        > configured like a normal mailserver that requires authentication etc. but I need it to not ask for authentication
        > on port 3326. How do I do this?
        >
        > I know this isn't safe but this port wont be open for the internet, just specific IP's that I specify on my router,
        > so I wont be a target for spammers

        so why do you not put that specific ip-addresses in "mynetworks"?
      • Patric Falinder
        ... Some of our customers business-systems are for some reason programmed so they re not able to authenticate. Now this hasn t been a problem for any of them
        Message 3 of 14 , Nov 22, 2012
          Wietse Venema skrev 2012-11-22 14:53:
          > Patric Falinder:
          >> All I actually need to do is to allow a dyndns-adress to send without
          >> authentication.
          > And why can't the SMTP client be bothered to authenticate?
          > Did you put your printer/scanner on the Internet?
          >
          > Wietse
          Some of our customers "business-systems" are for some reason programmed
          so they're not able to authenticate. Now this hasn't been a problem for
          any of them because they've had a local mailserver (Exchange) where we
          have configured it so it didn't have to authenticate. But now when we
          have migrated all their mail to our servers and shutdown their old one,
          they can't use that anymore and need to use ours.

          We've asked the support for the software why it is like this and they
          pretty much doesn't have an answer, they will probably implement it
          later on hopefully. So it's pretty urgent for them to get this working
          as they have a lot of business crucial emails that need to be delivered.
          Also they have a dynamic IP so I was thinking I could add their
          dyndns-adress to 'mynetworks' but it only takes IP addresses, so I will
          have to manually add their new IP when/if they get a new one and by then
          lots of emails might have been lost due to not being delivered.

          Right now I have added their IP to 'mynetworks' and it's working fine
          for now, but it's not reliable as they have a dynamic IP like I said.
          So either I need to be able to add a hostname/domain instead of an IP to
          be able to send mail without authenticating or have an open relay on a
          non-standard port where I then configure in the router who can access it
          from outside. Or if you guys might have a better solution?

          Thanks,
          -Patric
        • Reindl Harald
          ... so make a different open-relay port is the same problem ... and how does this solve the dynamic IP? ... yes, they have to setup a postfix relay on their
          Message 4 of 14 , Nov 22, 2012
            Am 22.11.2012 15:06, schrieb Patric Falinder:
            > Right now I have added their IP to 'mynetworks' and it's working fine for now,
            > but it's not reliable as they have a dynamic IP like I said

            so make a different open-relay port is the same problem

            > So either I need to be able to add a hostname/domain instead of an IP
            > to be able to send mail without authenticating or have an open relay on a
            > non-standard port where I then configure in the router who can access
            > it from outside

            and how does this solve the dynamic IP?

            > Or if you guys might have a better solution?

            yes, they have to setup a postfix relay on their
            internal network - any other solution in context
            of dynamic IP's is pure crap and dangerous

            relayhost = [your-smtp-server]:587
            smtp_sasl_auth_enable = yes
            smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

            cat /etc/postfix/sasl_passwd
            # CHANGES: postmap /etc/postfix/sasl_passwd
            [your-smtp-server]:587 username:password
          • Wietse Venema
            ... Hostname lookup is not a solution. Due to caching effects there simply is no guarantee that the name will always exist and resolve to the current client
            Message 5 of 14 , Nov 22, 2012
              Patric Falinder:
              > All I actually need to do is to allow a dyndns-adress to send without
              > authentication.

              Wietse:
              > And why can't the SMTP client be bothered to authenticate?

              Patric Falinder:
              > Some of our customers "business-systems" are for some reason
              > programmed so they're not able to authenticate. Now this hasn't
              > been a problem for any of them because they've had a local mailserver
              > (Exchange) where we have configured it so it didn't have to
              > authenticate. But now when we have migrated all their mail to our
              > servers and shutdown their old one, they can't use that anymore
              > and need to use ours.

              Hostname lookup is not a solution. Due to caching effects there
              simply is no guarantee that the name will always exist and resolve
              to the current client address BEFORE the client connects to you.

              I deplore the lack of planning that went into this migration; it
              would have been easy enough to provide an SMTP proxy for off-site
              locations that authenticates with SASL or TLS certificate. The
              whole thing could be done in a few lines of Perl or Python.

              Wietse
            • Patric Falinder
              ... So it s not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open
              Message 6 of 14 , Nov 22, 2012
                Wietse Venema skrev 2012-11-22 15:22:
                > Patric Falinder:
                >> All I actually need to do is to allow a dyndns-adress to send without
                >> authentication.
                > Wietse:
                >> And why can't the SMTP client be bothered to authenticate?
                > Patric Falinder:
                >> Some of our customers "business-systems" are for some reason
                >> programmed so they're not able to authenticate. Now this hasn't
                >> been a problem for any of them because they've had a local mailserver
                >> (Exchange) where we have configured it so it didn't have to
                >> authenticate. But now when we have migrated all their mail to our
                >> servers and shutdown their old one, they can't use that anymore
                >> and need to use ours.
                > Hostname lookup is not a solution. Due to caching effects there
                > simply is no guarantee that the name will always exist and resolve
                > to the current client address BEFORE the client connects to you.
                >
                > I deplore the lack of planning that went into this migration; it
                > would have been easy enough to provide an SMTP proxy for off-site
                > locations that authenticates with SASL or TLS certificate. The
                > whole thing could be done in a few lines of Perl or Python.
                >
                > Wietse
                So it's not possible to have Postfix listening on another port with
                different settings, like skipping the authentication bit and have it act
                like an open relay?
                This is easily done in Exchange and I would guess it's possible in
                Postfix too, I just don't know how. I know the complications of having
                it configured this way so I don't need to be told that it's dangerous
                etc. because I'm aware of the dangers.


                Thanks,
                -Patric
              • Reindl Harald
                frist: do NOT reply off-list! ... so how the hell does it make a difference? you have to configure SOMETHING in any case the idea of a open-relay for
                Message 7 of 14 , Nov 22, 2012
                  frist: do NOT reply off-list!

                  Am 22.11.2012 15:56, schrieb Patric Falinder:
                  > Reindl Harald skrev 2012-11-22 15:20:
                  >>
                  >> Am 22.11.2012 15:06, schrieb Patric Falinder:
                  >>> Right now I have added their IP to 'mynetworks' and it's working fine for now,
                  >>> but it's not reliable as they have a dynamic IP like I said
                  >> so make a different open-relay port is the same problem
                  > How so?
                  > If I have an open relay I don't have to specify the IP in
                  > 'mynetworks' and don't have to care to change it if their
                  > IP is updated as I will fix this on the firewall

                  so how the hell does it make a difference?

                  you have to configure SOMETHING in any case
                  the idea of a open-relay for dyn-addresses is crap

                  >> yes, they have to setup a postfix relay on their
                  >> internal network - any other solution in context
                  >> of dynamic IP's is pure crap and dangerous
                  >>
                  >> relayhost = [your-smtp-server]:587
                  >> smtp_sasl_auth_enable = yes
                  >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                  >>
                  >> cat /etc/postfix/sasl_passwd
                  >> # CHANGES: postmap /etc/postfix/sasl_passwd
                  >> [your-smtp-server]:587 username:password
                  >>
                  > Setting up a server just for that is not an option.

                  so kiss the customer goodbye as long he can not
                  provide a solution with a relay or force to
                  use software which is designed to work over WAN

                  > I know the complications of having an open relay but I really
                  > don't see the problem if I specify at a firewall level which IP's
                  > have access to it.

                  with a static IP on the clients side i agree
                  BUT with dynamic IP's this is only a bad joke

                  > So technically it's not an open relay as there's only specified IP's that
                  > has access to it in the end. And the reason I'm going to specify it
                  > on the firewall is because I can specify at hostname-level who's having access
                  > to it from the outside, I can't do that in Postfix

                  from where do you take the hostname?
                  PTR?

                  sorry but this is naive

                  * i control the PTR for my IP's
                  * i can setup whatever PTR i like for whatever of my IP's

                  there is no clean solution
                  force the customer to fix HIS side or kiss him goodbye!
                • Ralf Hildebrandt
                  ... Well of course: -o smtpd_recipient_restrictions=... -o ... -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz
                  Message 8 of 14 , Nov 22, 2012
                    * Patric Falinder <patric.falinder@...>:

                    > So it's not possible to have Postfix listening on another port with
                    > different settings, like skipping the authentication bit and have it
                    > act like an open relay?

                    Well of course:

                    -o smtpd_recipient_restrictions=...
                    -o ...

                    --
                    [*] sys4 AG

                    http://sys4.de, +49 (89) 30 90 46 64
                    Franziskanerstraße 15, 81669 München

                    Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                    Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                    Aufsichtsratsvorsitzender: Joerg Heidrich
                  • Patric Falinder
                    ... Thank you! However I had to use: -o smtpd_recipient_restrictions=permit,reject It works but I get this error: warning: restriction `reject after `permit
                    Message 9 of 14 , Nov 22, 2012
                      Ralf Hildebrandt skrev 2012-11-22 16:25:
                      > * Patric Falinder <patric.falinder@...>:
                      >
                      >> So it's not possible to have Postfix listening on another port with
                      >> different settings, like skipping the authentication bit and have it
                      >> act like an open relay?
                      > Well of course:
                      >
                      > -o smtpd_recipient_restrictions=...
                      > -o ...
                      >
                      Thank you! However I had to use:
                      -o smtpd_recipient_restrictions=permit,reject

                      It works but I get this error: warning: restriction `reject' after
                      `permit' is ignored
                      But if I use just permit it wont work at all.
                      Any ideas?

                      Thanks,
                      -Patric
                    • /dev/rob0
                      ... Even if safe, it is far from ideal. ... What is the purpose of this smtpd on 3325? ... (I don t edit services(5). I let IANA handle that. It only gives
                      Message 10 of 14 , Nov 22, 2012
                        On Thu, Nov 22, 2012 at 11:43:51AM +0100, Patric Falinder wrote:
                        > Patric Falinder skrev 2012-11-22 10:02:
                        > >I need to configure Postfix to be an open relay on a specific
                        > >port, lets say 3326. I already have Postfix configured like a
                        > >normal mailserver that requires authentication etc. but I need it
                        > >to not ask for authentication on port 3326. How do I do this?
                        > >
                        > >I know this isn't safe but this port wont be open for the
                        > >internet, just specific IP's that I specify on my router, so I
                        > >wont be a target for spammers.

                        Even if safe, it is far from ideal.

                        > >I already have port 3325 open just like port 25, I did that

                        What is the purpose of this smtpd on 3325?

                        > >by just adding this to /etc/services:
                        > >smtp2 3325/tcp

                        (I don't edit services(5). I let IANA handle that. It only gives
                        resolution of the port by name. You could just as well use the
                        number.)

                        > >and in /etc/postfix/master.cf:
                        > >smtp2 inet n - - - - smtpd
                        > >
                        > >So I can do the same for port 3326 but I don't know how to
                        > >disable the authentication part. How can I do this?

                        > It would actually be easier if there's a way to accept
                        > hostnames (mail.example.com) directly on the standard ports
                        > without authentication.

                        This is doable (check_client_access) but not for you, read on.

                        > I use 'mynetworks' to allow different IP numbers to send mail
                        > without authenticating but it doesn't support domain-names/
                        > hostnames. Or maybe there's another way it should be done?

                        ... And finally, the real goal is stated:

                        > All I actually need to do is to allow a dyndns-adress to send
                        > without authentication.

                        (You really should have started with this.)

                        There are lots of workarounds available to SASL-allergic admins.
                        Mine, years ago, was to set up a site-to-site openvpn(8) tunnel,
                        adding the VPN IP address to mynetworks. This has the additional
                        benefit (FSVO "benefit") of hiding the "real" IP address in the
                        headers. Postfix only sees the VPN IP.

                        check_client_access won't work because it looks up only forward-
                        confirmed reverse DNS names. Your dynamic DNS probably only sets a
                        "forward" name, not the PTR for the IP address.

                        That said, there are a few thousand ways you might manage that, as
                        well. An entry in /etc/hosts(5) for the dynamic address, in most
                        cases, will bypass the PTR lookup. A simple script to edit your
                        /etc/hosts file when the dynamic host changes its address might
                        enable check_client_access.

                        Your script might just as well update a hash: file for mynetworks.

                        And another solution is to reconsider your SASL antipathy. It's
                        well-documented and not that hard to set up.

                        http://www.postfix.org/SOHO_README.html#client_sasl_enable
                        --
                        http://rob0.nodns4.us/ -- system administration and consulting
                        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                      • Robert Schetterer
                        ... for your dynamic ip problem , what about pop before smtp etc or some port knocking scripting etc, that may give a small piece of security however i dont
                        Message 11 of 14 , Nov 22, 2012
                          Am 22.11.2012 16:32, schrieb Patric Falinder:
                          > Ralf Hildebrandt skrev 2012-11-22 16:25:
                          >> * Patric Falinder <patric.falinder@...>:
                          >>
                          >>> So it's not possible to have Postfix listening on another port with
                          >>> different settings, like skipping the authentication bit and have it
                          >>> act like an open relay?
                          >> Well of course:
                          >>
                          >> -o smtpd_recipient_restrictions=...
                          >> -o ...
                          >>
                          > Thank you! However I had to use:
                          > -o smtpd_recipient_restrictions=permit,reject
                          >
                          > It works but I get this error: warning: restriction `reject' after
                          > `permit' is ignored
                          > But if I use just permit it wont work at all.
                          > Any ideas?
                          >
                          > Thanks,
                          > -Patric

                          for your dynamic ip problem , what about pop before smtp etc or some
                          port knocking scripting etc, that may give a small piece of security

                          however i dont think open relays are a good idea at all
                          someday someone will abuse it

                          Best Regards
                          MfG Robert Schetterer

                          --
                          [*] sys4 AG

                          http://sys4.de, +49 (89) 30 90 46 64
                          Franziskanerstraße 15, 81669 München

                          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                          Aufsichtsratsvorsitzender: Joerg Heidrich
                        • Wietse Venema
                          ... In the next release, Postfix will require that a reject-like restriction appears BEFORE permit. Wietse
                          Message 12 of 14 , Nov 22, 2012
                            Patric Falinder:
                            > Ralf Hildebrandt skrev 2012-11-22 16:25:
                            > > * Patric Falinder <patric.falinder@...>:
                            > >
                            > >> So it's not possible to have Postfix listening on another port with
                            > >> different settings, like skipping the authentication bit and have it
                            > >> act like an open relay?
                            > > Well of course:
                            > >
                            > > -o smtpd_recipient_restrictions=...
                            > > -o ...
                            > >
                            > Thank you! However I had to use:
                            > -o smtpd_recipient_restrictions=permit,reject

                            In the next release, Postfix will require that a reject-like
                            restriction appears BEFORE permit.

                            Wietse
                          Your message has been successfully submitted and would be delivered to recipients shortly.