Loading ...
Sorry, an error occurred while loading the content.

Sufficiently locked down?

Expand Messages
  • Grant
    I thought my postfix setup was configured to send mail on port 587 and receive mail on port 25, so I was surprised to find that I could send mail from the
    Message 1 of 13 , Jan 22, 2013
    • 0 Attachment
      I thought my postfix setup was configured to send mail on port 587 and
      receive mail on port 25, so I was surprised to find that I could send
      mail from the local machine on port 25. Is my config OK?

      master.cf:

      smtp inet n - n - 1 postscreen
      smtpd pass - - n - - smtpd
      tlsproxy unix - - n - 0 tlsproxy
      submission inet n - n - - smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject

      main.cf:

      mynetworks_style = host
      smtpd_recipient_restrictions =
      reject_unauth_destination,
      permit
      smtpd_relay_restrictions =
      smtpd_tls_security_level = may
      smtpd_tls_auth_only = yes

      - Grant
    • Reindl Harald
      ... typically the local machine is in mynetworks
      Message 2 of 13 , Jan 22, 2013
      • 0 Attachment
        Am 22.01.2013 21:34, schrieb Grant:
        > I thought my postfix setup was configured to send mail on port 587 and
        > receive mail on port 25, so I was surprised to find that I could send
        > mail from the local machine on port 25

        typically the local machine is in "mynetworks"
      • Stan Hoeppner
        ... Postfix never sends mail *from* TCP 25 or TCP 587. These are receive ports. Outbound connections occur on high ports. You re not properly describing
        Message 3 of 13 , Jan 22, 2013
        • 0 Attachment
          On 1/22/2013 2:34 PM, Grant wrote:
          > I thought my postfix setup was configured to send mail on port 587 and
          > receive mail on port 25, so I was surprised to find that I could send
          > mail from the local machine on port 25. Is my config OK?

          Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
          ports. Outbound connections occur on high ports. You're not properly
          describing your use case, actually not at all. Would you please?

          Is this Postfix running on your desktop/laptop workstation and accepting
          mail from your MUA, or is it runing on a 'dedicated' MX MTA host? It's
          unclear how you are trying to use Postfix.

          Provide full 'postconf -n' output, never main.cf snippets. This was in
          your list welcome message. If you'd posted that we already have an
          answer for you.

          --
          Stan
        • Grant
          ... You re right, I didn t word that correctly. I thought mail received on port 25 could only be delivered locally with my config, but I was able to send mail
          Message 4 of 13 , Jan 23, 2013
          • 0 Attachment
            >> I thought my postfix setup was configured to send mail on port 587 and
            >> receive mail on port 25, so I was surprised to find that I could send
            >> mail from the local machine on port 25. Is my config OK?
            >
            > Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
            > ports. Outbound connections occur on high ports. You're not properly
            > describing your use case, actually not at all. Would you please?

            You're right, I didn't word that correctly. I thought mail received
            on port 25 could only be delivered locally with my config, but I was
            able to send mail to any destination via port 25. The mail client and
            mail server are on the same machine.

            > Provide full 'postconf -n' output, never main.cf snippets. This was in
            > your list welcome message. If you'd posted that we already have an
            > answer for you.

            My config works, but does it look OK from a security perspective?

            # postconf -n
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            daemon_directory = /usr/libexec/postfix
            data_directory = /var/lib/postfix
            debug_peer_level = 2
            debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
            ddd $daemon_directory/$process_name $process_id & sleep 5
            home_mailbox = .maildir/
            html_directory = no
            inet_protocols = ipv4
            mail_owner = postfix
            mailq_path = /usr/bin/mailq
            manpage_directory = /usr/share/man
            message_size_limit = 40960000
            mydestination = example1.com example2.com
            myhostname = example1.com
            mynetworks_style = host
            newaliases_path = /usr/bin/newaliases
            postscreen_bare_newline_action = enforce
            postscreen_bare_newline_enable = yes
            postscreen_greet_action = enforce
            postscreen_non_smtp_command_action = enforce
            postscreen_non_smtp_command_enable = yes
            postscreen_pipelining_action = enforce
            postscreen_pipelining_enable = yes
            queue_directory = /var/spool/postfix
            readme_directory = no
            sample_directory = /etc/postfix
            sendmail_path = /usr/sbin/sendmail
            setgid_group = postdrop
            smtp_tls_exclude_ciphers = aNULL
            smtpd_recipient_restrictions = reject_unauth_destination, permit
            smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
            smtpd_tls_auth_only = yes
            smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem
            smtpd_tls_exclude_ciphers = aNULL
            smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem
            smtpd_tls_security_level = may
            smtpd_tls_session_cache_timeout = 3600s
            tls_random_source = dev:/dev/urandom
            unknown_local_recipient_reject_code = 550
            virtual_alias_maps = hash:/etc/postfix/virtual
            postconf: warning: /etc/postfix/main.cf: unused parameter:
            smtpd_relay_restrictions=

            - Grant
          • Stan Hoeppner
            ... You haven t identified a problem Grant. You ve identified standard Postfix behavior and told us it is confusing to you. We have no idea why that is
            Message 5 of 13 , Jan 23, 2013
            • 0 Attachment
              On 1/23/2013 2:23 PM, Grant wrote:
              >>> I thought my postfix setup was configured to send mail on port 587 and
              >>> receive mail on port 25, so I was surprised to find that I could send
              >>> mail from the local machine on port 25. Is my config OK?
              >>
              >> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
              >> ports. Outbound connections occur on high ports. You're not properly
              >> describing your use case, actually not at all. Would you please?
              >
              > You're right, I didn't word that correctly. I thought mail received
              > on port 25 could only be delivered locally with my config, but I was
              > able to send mail to any destination via port 25. The mail client and
              > mail server are on the same machine.

              You haven't identified a problem Grant. You've identified standard
              Postfix behavior and told us it is confusing to you. We have no idea
              why that is confusing to you because you haven't told us exactly how you
              are trying to use Postfix. One thing I can tell you up front is that
              using authentication between your MUA and Postfix on 587 is useless,
              completely unnecessary, because the packets are transferred via machine
              memory, never going over the wire. The submission service exists
              strictly for accepting authenticated connections over a network. Your
              connections exist entirely within on machine.

              --
              Stan


              >> Provide full 'postconf -n' output, never main.cf snippets. This was in
              >> your list welcome message. If you'd posted that we already have an
              >> answer for you.
              >
              > My config works, but does it look OK from a security perspective?



              > # postconf -n
              > command_directory = /usr/sbin
              > config_directory = /etc/postfix
              > daemon_directory = /usr/libexec/postfix
              > data_directory = /var/lib/postfix
              > debug_peer_level = 2
              > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
              > ddd $daemon_directory/$process_name $process_id & sleep 5
              > home_mailbox = .maildir/
              > html_directory = no
              > inet_protocols = ipv4
              > mail_owner = postfix
              > mailq_path = /usr/bin/mailq
              > manpage_directory = /usr/share/man
              > message_size_limit = 40960000
              > mydestination = example1.com example2.com
              > myhostname = example1.com
              > mynetworks_style = host
              > newaliases_path = /usr/bin/newaliases
              > postscreen_bare_newline_action = enforce
              > postscreen_bare_newline_enable = yes
              > postscreen_greet_action = enforce
              > postscreen_non_smtp_command_action = enforce
              > postscreen_non_smtp_command_enable = yes
              > postscreen_pipelining_action = enforce
              > postscreen_pipelining_enable = yes
              > queue_directory = /var/spool/postfix
              > readme_directory = no
              > sample_directory = /etc/postfix
              > sendmail_path = /usr/sbin/sendmail
              > setgid_group = postdrop
              > smtp_tls_exclude_ciphers = aNULL
              > smtpd_recipient_restrictions = reject_unauth_destination, permit
              > smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
              > smtpd_tls_auth_only = yes
              > smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem
              > smtpd_tls_exclude_ciphers = aNULL
              > smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem
              > smtpd_tls_security_level = may
              > smtpd_tls_session_cache_timeout = 3600s
              > tls_random_source = dev:/dev/urandom
              > unknown_local_recipient_reject_code = 550
              > virtual_alias_maps = hash:/etc/postfix/virtual
              > postconf: warning: /etc/postfix/main.cf: unused parameter:
              > smtpd_relay_restrictions=
              >
              > - Grant
              >
            • Jeroen Geilman
              ... If he is actually using SMTP submission on the local server, that is obviously untrue. The workings of SMTP submission are not dependent on where this
              Message 6 of 13 , Jan 24, 2013
              • 0 Attachment
                On 01/24/2013 07:08 AM, Stan Hoeppner wrote:
                > On 1/23/2013 2:23 PM, Grant wrote:
                >>>> I thought my postfix setup was configured to send mail on port 587 and
                >>>> receive mail on port 25, so I was surprised to find that I could send
                >>>> mail from the local machine on port 25. Is my config OK?
                >>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
                >>> ports. Outbound connections occur on high ports. You're not properly
                >>> describing your use case, actually not at all. Would you please?
                >> You're right, I didn't word that correctly. I thought mail received
                >> on port 25 could only be delivered locally with my config, but I was
                >> able to send mail to any destination via port 25. The mail client and
                >> mail server are on the same machine.
                > You haven't identified a problem Grant. You've identified standard
                > Postfix behavior and told us it is confusing to you. We have no idea
                > why that is confusing to you because you haven't told us exactly how you
                > are trying to use Postfix. One thing I can tell you up front is that
                > using authentication between your MUA and Postfix on 587 is useless,
                > completely unnecessary, because the packets are transferred via machine
                > memory, never going over the wire. The submission service exists
                > strictly for accepting authenticated connections over a network. Your
                > connections exist entirely within on machine.
                >

                If he is actually using SMTP submission on the local server, that is
                obviously untrue.
                The workings of SMTP submission are not dependent on where this happens
                from.

                I would recommend submission regardless of goal or purpose, even on
                localhost.


                --
                J.
              • btb@...
                ... it seems quite clear to me the behavior he is attempting to understand/correct. commendably, he is at least making an attempt to properly use submission
                Message 7 of 13 , Jan 24, 2013
                • 0 Attachment
                  On Jan 24, 2013, at 01.08, Stan Hoeppner wrote:

                  > On 1/23/2013 2:23 PM, Grant wrote:
                  >>>> I thought my postfix setup was configured to send mail on port 587 and
                  >>>> receive mail on port 25, so I was surprised to find that I could send
                  >>>> mail from the local machine on port 25. Is my config OK?
                  >>>
                  >>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
                  >>> ports. Outbound connections occur on high ports. You're not properly
                  >>> describing your use case, actually not at all. Would you please?
                  >>
                  >> You're right, I didn't word that correctly. I thought mail received
                  >> on port 25 could only be delivered locally with my config, but I was
                  >> able to send mail to any destination via port 25. The mail client and
                  >> mail server are on the same machine.
                  >
                  > You haven't identified a problem Grant.

                  it seems quite clear to me the behavior he is attempting to understand/correct. commendably, he is at least making an attempt to properly use submission [which, btw, is far from "useless" and has nothing to do with the route a packet might take].

                  grant - please show master.cf with comments removed.

                  general comments regarding your current postconf -n output:

                  you likely have a number of redundant settings in main.cf. something like (postconf -d; postconf -n) | sort | uniq -d can be helpful in identifying these unnecessary main.cf entries and simplifying your config. also, a message_size_limit of 40mb is rather large. i'd encourage you to reduce that. lastly, i'd strongly encourage enforcing some additional basic smtpd_recipient_restrictions - e.g.

                  smtpd_recipient_restrictions =
                  reject_non_fqdn_sender
                  reject_unknown_sender_domain
                  reject_non_fqdn_recipient
                  reject_unauth_destination
                  permit

                  note that "permit" is not strictly necessary, but isn't necessarily a bad idea either, imo.

                  in addition, you probably ought to employ some basic antispam restrictions. things like

                  reject_unknown_client_hostname
                  reject_invalid_helo_hostname
                  reject_non_fqdn_helo_hostname
                  reject_unknown_helo_hostname

                  as well as some basic rbl checks [not to mention postscreen] are worth consideration.

                  do note that some of those restrictions may be more prone to collateral damage [perhaps most notably helo related restrictions], so you might consider testing these with warn_if_reject first.

                  lastly, don't miss the warning postconf printed regarding smtpd_relay_restrictions

                  -ben
                • Stan Hoeppner
                  ... So you re saying all interprocess communication should require authentication and encryption? Hmm.. how many of the applications you run do this Jeroen?
                  Message 8 of 13 , Jan 24, 2013
                  • 0 Attachment
                    On 1/24/2013 8:42 AM, Jeroen Geilman wrote:
                    > On 01/24/2013 07:08 AM, Stan Hoeppner wrote:
                    >> On 1/23/2013 2:23 PM, Grant wrote:
                    >>>>> I thought my postfix setup was configured to send mail on port 587 and
                    >>>>> receive mail on port 25, so I was surprised to find that I could send
                    >>>>> mail from the local machine on port 25. Is my config OK?
                    >>>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
                    >>>> ports. Outbound connections occur on high ports. You're not properly
                    >>>> describing your use case, actually not at all. Would you please?
                    >>> You're right, I didn't word that correctly. I thought mail received
                    >>> on port 25 could only be delivered locally with my config, but I was
                    >>> able to send mail to any destination via port 25. The mail client and
                    >>> mail server are on the same machine.
                    >> You haven't identified a problem Grant. You've identified standard
                    >> Postfix behavior and told us it is confusing to you. We have no idea
                    >> why that is confusing to you because you haven't told us exactly how you
                    >> are trying to use Postfix. One thing I can tell you up front is that
                    >> using authentication between your MUA and Postfix on 587 is useless,
                    >> completely unnecessary, because the packets are transferred via machine
                    >> memory, never going over the wire. The submission service exists
                    >> strictly for accepting authenticated connections over a network. Your
                    >> connections exist entirely within on machine.
                    >>
                    >
                    > If he is actually using SMTP submission on the local server, that is
                    > obviously untrue.

                    So you're saying all interprocess communication should require
                    authentication and encryption? Hmm.. how many of the applications you
                    run do this Jeroen?

                    > The workings of SMTP submission are not dependent on where this happens
                    > from.
                    >
                    > I would recommend submission regardless of goal or purpose, even on
                    > localhost.

                    That's because you seem to be looking at this backwards.

                    smtp over TLS with auth has a single goal: security. What additional
                    security is provided by using TLS and auth for interprocess
                    communication on a single user PC? I.e. what is the attack vector here,
                    and how does 'submission' prevent such an atack? Answer: there is no
                    attack vector, thus it doesn't help.

                    --
                    Stan
                  • Stan Hoeppner
                    ... It s not clear at all. Read above. He says he s configured to send mail on port 587 which suggests ASDL/cable/consumer outbound submission to his ISP,
                    Message 9 of 13 , Jan 24, 2013
                    • 0 Attachment
                      On 1/24/2013 3:49 PM, btb@... wrote:
                      >
                      > On Jan 24, 2013, at 01.08, Stan Hoeppner wrote:
                      >
                      >> On 1/23/2013 2:23 PM, Grant wrote:
                      >>>>> I thought my postfix setup was configured to send mail on port 587 and
                      >>>>> receive mail on port 25, so I was surprised to find that I could send
                      >>>>> mail from the local machine on port 25. Is my config OK?
                      >>>>
                      >>>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
                      >>>> ports. Outbound connections occur on high ports. You're not properly
                      >>>> describing your use case, actually not at all. Would you please?
                      >>>
                      >>> You're right, I didn't word that correctly. I thought mail received
                      >>> on port 25 could only be delivered locally with my config, but I was
                      >>> able to send mail to any destination via port 25. The mail client and
                      >>> mail server are on the same machine.
                      >>
                      >> You haven't identified a problem Grant.
                      >
                      > it seems quite clear to me the behavior he is attempting to understand/correct.

                      It's not clear at all. Read above. He says he's "configured to send
                      mail on port 587" which suggests ASDL/cable/consumer outbound submission
                      to his ISP, not inbound submission to Postfix.

                      > commendably, he is at least making an attempt to properly use submission [which, btw, is far from "useless" and has nothing to do with the route a packet might take].

                      The primary features of the submission service are TLS encryption and
                      authentication. Neither are needed for interprocess communication, as I
                      explained to Jeroen. The "packet" transfer here is simply a write to
                      local memory by the MUA and a read from it by Postfix. So unless
                      someone has a rouge program installed on his box that is eavesdropping
                      his TCP stack, the two primary features of the submission service are
                      absolutely useless in this scenario. Even the user logging of
                      submission is useless, as it's a single user box.

                      If he needs to separate inbound/outbound smtpds for *other* reasons,
                      such as separate smtpd_foo_restrictions, then a separate inbound smtpd
                      might make sense. But in that case, simply create another smtpd service
                      definition from scratch, that listens on an arbitrary port, that does
                      not require auth or TLS, which again, are useless for interprocess
                      communication as they add no meaningful security to the transaction.

                      --
                      Stan
                    • btb@...
                      ... the primary feature of the submission service is to provide different ports for servers and clients, so that the appropriate policy can be applied to each,
                      Message 10 of 13 , Jan 25, 2013
                      • 0 Attachment
                        On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:

                        >> commendably, he is at least making an attempt to properly use submission [which, btw, is far from "useless" and has nothing to do with the route a packet might take].
                        >
                        > The primary features of the submission service are TLS encryption and
                        > authentication.

                        the primary feature of the submission service is to provide different ports for servers and clients, so that the appropriate policy can be applied to each, independently. these policies are quite obviously completely subjective, and may or may not include smtp auth [and thus with it, encryption]. the submission protocol defines a port for clients to use, period. it does not say "use port 587, unless you are talking to localhost, in which case use port 25."

                        > Even the user logging of submission is useless, as it's a single user box.


                        hmm, not sure where you got this idea. there have been no such statements from the op.

                        -ben
                      • Stan Hoeppner
                        ... You might want to read this before repeating your statement above:
                        Message 11 of 13 , Jan 25, 2013
                        • 0 Attachment
                          On 1/25/2013 10:18 AM, btb@... wrote:
                          > On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:

                          >> The primary features of the submission service are TLS encryption and
                          >> authentication.
                          >
                          > the primary feature of the submission service is to provide different ports for servers and clients,

                          You might want to read this before repeating your statement above:

                          http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03

                          Note that the port is TCP 587, that TLS is enabled, and auth is enabled.
                          The submission service isn't simply for separating traffic on different
                          ports. It's for secure submission of user mail with auth, over the
                          wire. It is not intended for submission via IPC.

                          > ...the submission protocol defines a port for clients to use, period.

                          Again, not true. See above.

                          >> Even the user logging of submission is useless, as it's a single user box.
                          >
                          > hmm, not sure where you got this idea. there have been no such statements from the op.

                          Long experience. The only reason to use the submission service in an
                          IPC scenario is on a multiuser webmail server with local Postfix. The
                          submission service logs the authenticated user name. So even though the
                          encryption and authentication are useless for security reasons in an IPC
                          submission scenario, having the username logged is advantageous. For
                          instance if a user spams, is being abusive, sends threats, etc, the
                          admin can track down who sent the emails.

                          This is the only scenario where using the submission service for IPC
                          submission makes any sense. So again, for a single user box running
                          both the MUA and Postfix, one is better off using the standard smtpd
                          server on TCP 25, or creating a non TLS/auth submission service on an
                          arbitrary port.

                          --
                          Stan
                        • btb@...
                          ... the sample configuration postfix offers does not define the submission protocol. rather, it emphasizes my point that it is a personal choice. at this
                          Message 12 of 13 , Jan 25, 2013
                          • 0 Attachment
                            On Jan 25, 2013, at 13.29, Stan Hoeppner wrote:

                            > On 1/25/2013 10:18 AM, btb@... wrote:
                            >> On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:
                            >
                            >>> The primary features of the submission service are TLS encryption and
                            >>> authentication.
                            >>
                            >> the primary feature of the submission service is to provide different ports for servers and clients,
                            >
                            > You might want to read this before repeating your statement above:
                            >
                            > http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03


                            the sample configuration postfix offers does not define the submission protocol. rather, it emphasizes my point that it is a personal choice.

                            at this point, this thread has become non beneficial to the op, and should be suspended until he returns with the additional requested data.

                            -ben
                          • Stan Hoeppner
                            ... On the contrary. The OP should have learned a great deal from this thread that is directly applicable to his situation. ... If the thread no longer has
                            Message 13 of 13 , Jan 26, 2013
                            • 0 Attachment
                              On 1/25/2013 12:59 PM, btb@... wrote:
                              >
                              > On Jan 25, 2013, at 13.29, Stan Hoeppner wrote:
                              >
                              >> On 1/25/2013 10:18 AM, btb@... wrote:
                              >>> On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:
                              >>
                              >>>> The primary features of the submission service are TLS encryption and
                              >>>> authentication.
                              >>>
                              >>> the primary feature of the submission service is to provide different ports for servers and clients,
                              >>
                              >> You might want to read this before repeating your statement above:
                              >>
                              >> http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03
                              >
                              >
                              > the sample configuration postfix offers does not define the submission protocol. rather, it emphasizes my point that it is a personal choice.
                              >
                              > at this point, this thread has become non beneficial to the op, and

                              On the contrary. The OP should have learned a great deal from this
                              thread that is directly applicable to his situation.

                              > should be suspended until he returns with the additional requested data.

                              If the thread no longer has value to YOU, simply don't participate.

                              --
                              Stan
                            Your message has been successfully submitted and would be delivered to recipients shortly.