Loading ...
Sorry, an error occurred while loading the content.

Re: Sufficiently locked down?

Expand Messages
  • btb@...
    ... it seems quite clear to me the behavior he is attempting to understand/correct. commendably, he is at least making an attempt to properly use submission
    Message 1 of 13 , Jan 24, 2013
    • 0 Attachment
      On Jan 24, 2013, at 01.08, Stan Hoeppner wrote:

      > On 1/23/2013 2:23 PM, Grant wrote:
      >>>> I thought my postfix setup was configured to send mail on port 587 and
      >>>> receive mail on port 25, so I was surprised to find that I could send
      >>>> mail from the local machine on port 25. Is my config OK?
      >>>
      >>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
      >>> ports. Outbound connections occur on high ports. You're not properly
      >>> describing your use case, actually not at all. Would you please?
      >>
      >> You're right, I didn't word that correctly. I thought mail received
      >> on port 25 could only be delivered locally with my config, but I was
      >> able to send mail to any destination via port 25. The mail client and
      >> mail server are on the same machine.
      >
      > You haven't identified a problem Grant.

      it seems quite clear to me the behavior he is attempting to understand/correct. commendably, he is at least making an attempt to properly use submission [which, btw, is far from "useless" and has nothing to do with the route a packet might take].

      grant - please show master.cf with comments removed.

      general comments regarding your current postconf -n output:

      you likely have a number of redundant settings in main.cf. something like (postconf -d; postconf -n) | sort | uniq -d can be helpful in identifying these unnecessary main.cf entries and simplifying your config. also, a message_size_limit of 40mb is rather large. i'd encourage you to reduce that. lastly, i'd strongly encourage enforcing some additional basic smtpd_recipient_restrictions - e.g.

      smtpd_recipient_restrictions =
      reject_non_fqdn_sender
      reject_unknown_sender_domain
      reject_non_fqdn_recipient
      reject_unauth_destination
      permit

      note that "permit" is not strictly necessary, but isn't necessarily a bad idea either, imo.

      in addition, you probably ought to employ some basic antispam restrictions. things like

      reject_unknown_client_hostname
      reject_invalid_helo_hostname
      reject_non_fqdn_helo_hostname
      reject_unknown_helo_hostname

      as well as some basic rbl checks [not to mention postscreen] are worth consideration.

      do note that some of those restrictions may be more prone to collateral damage [perhaps most notably helo related restrictions], so you might consider testing these with warn_if_reject first.

      lastly, don't miss the warning postconf printed regarding smtpd_relay_restrictions

      -ben
    • Stan Hoeppner
      ... So you re saying all interprocess communication should require authentication and encryption? Hmm.. how many of the applications you run do this Jeroen?
      Message 2 of 13 , Jan 24, 2013
      • 0 Attachment
        On 1/24/2013 8:42 AM, Jeroen Geilman wrote:
        > On 01/24/2013 07:08 AM, Stan Hoeppner wrote:
        >> On 1/23/2013 2:23 PM, Grant wrote:
        >>>>> I thought my postfix setup was configured to send mail on port 587 and
        >>>>> receive mail on port 25, so I was surprised to find that I could send
        >>>>> mail from the local machine on port 25. Is my config OK?
        >>>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
        >>>> ports. Outbound connections occur on high ports. You're not properly
        >>>> describing your use case, actually not at all. Would you please?
        >>> You're right, I didn't word that correctly. I thought mail received
        >>> on port 25 could only be delivered locally with my config, but I was
        >>> able to send mail to any destination via port 25. The mail client and
        >>> mail server are on the same machine.
        >> You haven't identified a problem Grant. You've identified standard
        >> Postfix behavior and told us it is confusing to you. We have no idea
        >> why that is confusing to you because you haven't told us exactly how you
        >> are trying to use Postfix. One thing I can tell you up front is that
        >> using authentication between your MUA and Postfix on 587 is useless,
        >> completely unnecessary, because the packets are transferred via machine
        >> memory, never going over the wire. The submission service exists
        >> strictly for accepting authenticated connections over a network. Your
        >> connections exist entirely within on machine.
        >>
        >
        > If he is actually using SMTP submission on the local server, that is
        > obviously untrue.

        So you're saying all interprocess communication should require
        authentication and encryption? Hmm.. how many of the applications you
        run do this Jeroen?

        > The workings of SMTP submission are not dependent on where this happens
        > from.
        >
        > I would recommend submission regardless of goal or purpose, even on
        > localhost.

        That's because you seem to be looking at this backwards.

        smtp over TLS with auth has a single goal: security. What additional
        security is provided by using TLS and auth for interprocess
        communication on a single user PC? I.e. what is the attack vector here,
        and how does 'submission' prevent such an atack? Answer: there is no
        attack vector, thus it doesn't help.

        --
        Stan
      • Stan Hoeppner
        ... It s not clear at all. Read above. He says he s configured to send mail on port 587 which suggests ASDL/cable/consumer outbound submission to his ISP,
        Message 3 of 13 , Jan 24, 2013
        • 0 Attachment
          On 1/24/2013 3:49 PM, btb@... wrote:
          >
          > On Jan 24, 2013, at 01.08, Stan Hoeppner wrote:
          >
          >> On 1/23/2013 2:23 PM, Grant wrote:
          >>>>> I thought my postfix setup was configured to send mail on port 587 and
          >>>>> receive mail on port 25, so I was surprised to find that I could send
          >>>>> mail from the local machine on port 25. Is my config OK?
          >>>>
          >>>> Postfix never sends mail *from* TCP 25 or TCP 587. These are receive
          >>>> ports. Outbound connections occur on high ports. You're not properly
          >>>> describing your use case, actually not at all. Would you please?
          >>>
          >>> You're right, I didn't word that correctly. I thought mail received
          >>> on port 25 could only be delivered locally with my config, but I was
          >>> able to send mail to any destination via port 25. The mail client and
          >>> mail server are on the same machine.
          >>
          >> You haven't identified a problem Grant.
          >
          > it seems quite clear to me the behavior he is attempting to understand/correct.

          It's not clear at all. Read above. He says he's "configured to send
          mail on port 587" which suggests ASDL/cable/consumer outbound submission
          to his ISP, not inbound submission to Postfix.

          > commendably, he is at least making an attempt to properly use submission [which, btw, is far from "useless" and has nothing to do with the route a packet might take].

          The primary features of the submission service are TLS encryption and
          authentication. Neither are needed for interprocess communication, as I
          explained to Jeroen. The "packet" transfer here is simply a write to
          local memory by the MUA and a read from it by Postfix. So unless
          someone has a rouge program installed on his box that is eavesdropping
          his TCP stack, the two primary features of the submission service are
          absolutely useless in this scenario. Even the user logging of
          submission is useless, as it's a single user box.

          If he needs to separate inbound/outbound smtpds for *other* reasons,
          such as separate smtpd_foo_restrictions, then a separate inbound smtpd
          might make sense. But in that case, simply create another smtpd service
          definition from scratch, that listens on an arbitrary port, that does
          not require auth or TLS, which again, are useless for interprocess
          communication as they add no meaningful security to the transaction.

          --
          Stan
        • btb@...
          ... the primary feature of the submission service is to provide different ports for servers and clients, so that the appropriate policy can be applied to each,
          Message 4 of 13 , Jan 25, 2013
          • 0 Attachment
            On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:

            >> commendably, he is at least making an attempt to properly use submission [which, btw, is far from "useless" and has nothing to do with the route a packet might take].
            >
            > The primary features of the submission service are TLS encryption and
            > authentication.

            the primary feature of the submission service is to provide different ports for servers and clients, so that the appropriate policy can be applied to each, independently. these policies are quite obviously completely subjective, and may or may not include smtp auth [and thus with it, encryption]. the submission protocol defines a port for clients to use, period. it does not say "use port 587, unless you are talking to localhost, in which case use port 25."

            > Even the user logging of submission is useless, as it's a single user box.


            hmm, not sure where you got this idea. there have been no such statements from the op.

            -ben
          • Stan Hoeppner
            ... You might want to read this before repeating your statement above:
            Message 5 of 13 , Jan 25, 2013
            • 0 Attachment
              On 1/25/2013 10:18 AM, btb@... wrote:
              > On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:

              >> The primary features of the submission service are TLS encryption and
              >> authentication.
              >
              > the primary feature of the submission service is to provide different ports for servers and clients,

              You might want to read this before repeating your statement above:

              http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03

              Note that the port is TCP 587, that TLS is enabled, and auth is enabled.
              The submission service isn't simply for separating traffic on different
              ports. It's for secure submission of user mail with auth, over the
              wire. It is not intended for submission via IPC.

              > ...the submission protocol defines a port for clients to use, period.

              Again, not true. See above.

              >> Even the user logging of submission is useless, as it's a single user box.
              >
              > hmm, not sure where you got this idea. there have been no such statements from the op.

              Long experience. The only reason to use the submission service in an
              IPC scenario is on a multiuser webmail server with local Postfix. The
              submission service logs the authenticated user name. So even though the
              encryption and authentication are useless for security reasons in an IPC
              submission scenario, having the username logged is advantageous. For
              instance if a user spams, is being abusive, sends threats, etc, the
              admin can track down who sent the emails.

              This is the only scenario where using the submission service for IPC
              submission makes any sense. So again, for a single user box running
              both the MUA and Postfix, one is better off using the standard smtpd
              server on TCP 25, or creating a non TLS/auth submission service on an
              arbitrary port.

              --
              Stan
            • btb@...
              ... the sample configuration postfix offers does not define the submission protocol. rather, it emphasizes my point that it is a personal choice. at this
              Message 6 of 13 , Jan 25, 2013
              • 0 Attachment
                On Jan 25, 2013, at 13.29, Stan Hoeppner wrote:

                > On 1/25/2013 10:18 AM, btb@... wrote:
                >> On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:
                >
                >>> The primary features of the submission service are TLS encryption and
                >>> authentication.
                >>
                >> the primary feature of the submission service is to provide different ports for servers and clients,
                >
                > You might want to read this before repeating your statement above:
                >
                > http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03


                the sample configuration postfix offers does not define the submission protocol. rather, it emphasizes my point that it is a personal choice.

                at this point, this thread has become non beneficial to the op, and should be suspended until he returns with the additional requested data.

                -ben
              • Stan Hoeppner
                ... On the contrary. The OP should have learned a great deal from this thread that is directly applicable to his situation. ... If the thread no longer has
                Message 7 of 13 , Jan 26, 2013
                • 0 Attachment
                  On 1/25/2013 12:59 PM, btb@... wrote:
                  >
                  > On Jan 25, 2013, at 13.29, Stan Hoeppner wrote:
                  >
                  >> On 1/25/2013 10:18 AM, btb@... wrote:
                  >>> On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:
                  >>
                  >>>> The primary features of the submission service are TLS encryption and
                  >>>> authentication.
                  >>>
                  >>> the primary feature of the submission service is to provide different ports for servers and clients,
                  >>
                  >> You might want to read this before repeating your statement above:
                  >>
                  >> http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03
                  >
                  >
                  > the sample configuration postfix offers does not define the submission protocol. rather, it emphasizes my point that it is a personal choice.
                  >
                  > at this point, this thread has become non beneficial to the op, and

                  On the contrary. The OP should have learned a great deal from this
                  thread that is directly applicable to his situation.

                  > should be suspended until he returns with the additional requested data.

                  If the thread no longer has value to YOU, simply don't participate.

                  --
                  Stan
                Your message has been successfully submitted and would be delivered to recipients shortly.