Loading ...
Sorry, an error occurred while loading the content.

Re: RBLs, submission port, and permit_sasl_authenticated

Expand Messages
  • Quanah Gibson-Mount
    --On Thursday, January 17, 2013 2:26 PM -0800 Quanah Gibson-Mount ... Hi Noel, With testing, I have the following for 465/submission. Thanks again for the
    Message 1 of 12 , Jan 17, 2013
    • 0 Attachment
      --On Thursday, January 17, 2013 2:26 PM -0800 Quanah Gibson-Mount
      <quanah@...> wrote:

      > Hi Noel,
      >
      >>
      >> I don't think postfix will start (or at least won't start this
      >> service) with both smtpd_recipient_restricions and
      >> smtpd_relay_restrictions set empty.
      >
      > Yeah, I just ran into that in testing the changes in more detail.
      >
      >> For submission/smtps, one of these needs to be set eg.
      >>
      >> smtpd_relay_restrictions=permit_sasl_authenticated,reject
      > That's really helpful, thank you. :)

      Hi Noel,

      With testing, I have the following for 465/submission. Thanks again for
      the pointers! I used reject_unauth_destination because with just "reject",
      some of my mail tests failed.

      465 inet n - n - - smtpd
      -o content_filter=scan:[127.0.0.1]:10029
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=
      -o smtpd_data_restrictions=
      -o smtpd_end_of_data_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_recipient_restrictions=
      -o
      smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
      -o smtpd_sender_restrictions=
      -o syslog_name=postfix/smtps
      -o milter_macro_daemon_name=ORIGINATING
      submission inet n - n - - smtpd
      -o content_filter=scan:[127.0.0.1]:10029
      -o smtpd_etrn_restrictions=reject
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_tls_security_level=may
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_data_restrictions=
      -o smtpd_end_of_data_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_recipient_restrictions=
      -o
      smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
      -o smtpd_sender_restrictions=
      -o syslog_name=postfix/submission
      -o milter_macro_daemon_name=ORIGINATING


      --Quanah

      --

      Quanah Gibson-Mount
      Sr. Member of Technical Staff
      Zimbra, Inc
      A Division of VMware, Inc.
      --------------------
      Zimbra :: the leader in open source messaging and collaboration
    • Noel Jones
      ... That implies you were sending unauthenticated mail to a local domain via smtps. As a general rule, that s something you want to prevent since it bypasses
      Message 2 of 12 , Jan 17, 2013
      • 0 Attachment
        On 1/17/2013 4:42 PM, Quanah Gibson-Mount wrote:
        >
        > With testing, I have the following for 465/submission. Thanks again
        > for the pointers! I used reject_unauth_destination because with
        > just "reject", some of my mail tests failed.


        That implies you were sending unauthenticated mail to a local domain
        via smtps. As a general rule, that's something you want to prevent
        since it bypasses all your carefully crafted antispam controls. I
        have seen a few attempts to deliver spammy-looking unauthenticated
        mail via smtps/465, haven't noticed it on submission/587 (but never
        really looked for it).

        So reject_unauth_destination is OK for testing, but for production I
        would strongly suggest leaving it at reject.

        If you need to send unauthenticated mail over smtps/submission on an
        ongoing basis, you can define a very limited -o mynetworks=...
        setting and add permit_mynetworks before the reject.



        -- Noel Jones
      • Quanah Gibson-Mount
        --On Thursday, January 17, 2013 10:17 PM -0600 Noel Jones ... Hi Noel, Thanks again. There was a problem with my simple test script (it wasn t actually
        Message 3 of 12 , Jan 18, 2013
        • 0 Attachment
          --On Thursday, January 17, 2013 10:17 PM -0600 Noel Jones
          <njones@...> wrote:

          > On 1/17/2013 4:42 PM, Quanah Gibson-Mount wrote:
          >>
          >> With testing, I have the following for 465/submission. Thanks again
          >> for the pointers! I used reject_unauth_destination because with
          >> just "reject", some of my mail tests failed.
          >
          >
          > That implies you were sending unauthenticated mail to a local domain
          > via smtps. As a general rule, that's something you want to prevent
          > since it bypasses all your carefully crafted antispam controls. I
          > have seen a few attempts to deliver spammy-looking unauthenticated
          > mail via smtps/465, haven't noticed it on submission/587 (but never
          > really looked for it).
          >
          > So reject_unauth_destination is OK for testing, but for production I
          > would strongly suggest leaving it at reject.
          >
          > If you need to send unauthenticated mail over smtps/submission on an
          > ongoing basis, you can define a very limited -o mynetworks=...
          > setting and add permit_mynetworks before the reject.

          Hi Noel,

          Thanks again. There was a problem with my simple test script (it wasn't
          actually authenticating). I fixed that, and "reject" is definitely what I
          want.

          --Quanah

          --

          Quanah Gibson-Mount
          Sr. Member of Technical Staff
          Zimbra, Inc
          A Division of VMware, Inc.
          --------------------
          Zimbra :: the leader in open source messaging and collaboration
        Your message has been successfully submitted and would be delivered to recipients shortly.