Loading ...
Sorry, an error occurred while loading the content.
 

SMTP authentication

Expand Messages
  • Matteo Marescotti
    Hello, I have a question for you about authentication on port 587. At the moment, my mailserver is configured as follows: main.cf: ... smtpd_use_tls=yes
    Message 1 of 14 , Mar 19, 2013
      Hello,
      I have a question for you about authentication on port 587. At the
      moment, my mailserver is configured as follows:

      main.cf:
      ...
      smtpd_use_tls=yes
      smtpd_tls_auth_only = yes
      smtpd_sasl_auth_enable = yes
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
      ...


      master.cf:
      ...
      smtp inet n - - - - smtpd
      -o smtpd_tls_security_level=may
      submission inet n - - - - smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
      ...

      With this configuration, messages can only be submitted through port 587
      after an encrypted connection has been established and user authentication
      has succeded. So users need to authenticate themselves in
      order to send emails. Nevertheless, Postfix accepts the MAIL FROM
      command before authentication.

      Is there a different configuration such that postfix requires
      authentication before any MAIL FROM command can be accepted by the mail
      server?

      Thank you very much for your attention.

      Best regards,
      Matteo Marescotti
    • Noel Jones
      ... It is not currently possible to prevent the client from sending a MAIL FROM command (nor any other command) before they authenticate. -- Noel Jones
      Message 2 of 14 , Mar 19, 2013
        On 3/19/2013 9:18 AM, Matteo Marescotti wrote:
        > Hello,
        > I have a question for you about authentication on port 587. At the
        > moment, my mailserver is configured as follows:
        >
        > main.cf:
        > ...
        > smtpd_use_tls=yes
        > smtpd_tls_auth_only = yes
        > smtpd_sasl_auth_enable = yes
        > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
        > smtpd_recipient_restrictions = permit_mynetworks,
        > permit_sasl_authenticated, reject_unauth_destination
        > ...
        >
        >
        > master.cf:
        > ...
        > smtp inet n - - - - smtpd
        > -o smtpd_tls_security_level=may
        > submission inet n - - - - smtpd
        > -o smtpd_tls_security_level=encrypt
        > -o smtpd_sasl_auth_enable=yes
        > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        > -o milter_macro_daemon_name=ORIGINATING
        > ...
        >
        > With this configuration, messages can only be submitted through port
        > 587 after an encrypted connection has been established and user
        > authentication has succeded. So users need to authenticate
        > themselves in order to send emails. Nevertheless, Postfix accepts
        > the MAIL FROM command before authentication.
        >
        > Is there a different configuration such that postfix requires
        > authentication before any MAIL FROM command can be accepted by the
        > mail server?
        >

        It is not currently possible to prevent the client from sending a
        MAIL FROM command (nor any other command) before they authenticate.



        -- Noel Jones
      • Viktor Dukhovni
        ... With smtpd_tls_security_level=encrypt only EHLO, NOOP and QUIT are allowed before STARTTLS. The other commands will be rejected, but of course we can t
        Message 3 of 14 , Mar 19, 2013
          On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:

          > submission inet n - - - - smtpd
          > -o smtpd_tls_security_level=encrypt
          > -o smtpd_sasl_auth_enable=yes
          > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          > -o milter_macro_daemon_name=ORIGINATING
          > ...

          With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
          are allowed before STARTTLS. The other commands will be rejected,
          but of course we can't prevent the client from sending them.

          > With this configuration, messages can only be submitted through port
          > 587 after an encrypted connection has been established and user
          > authentication has succeded. So users need to authenticate
          > themselves in order to send emails. Nevertheless, Postfix accepts
          > the MAIL FROM command before authentication.

          Show real evidence of this, after making sure your master.cf file
          reflects run-time reality (postfix stop/start or at least reload).

          --
          Viktor.
        • Matteo Marescotti
          ... I said Postfix accepts the MAIL FROM command before user authentication, not before STARTTLS. ... Of course master.cf reflects run-time reality. Follows
          Message 4 of 14 , Mar 19, 2013
            Il 19/03/2013 17:41, Viktor Dukhovni wrote:
            > On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
            >
            >> submission inet n - - - - smtpd
            >> -o smtpd_tls_security_level=encrypt
            >> -o smtpd_sasl_auth_enable=yes
            >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
            >> -o milter_macro_daemon_name=ORIGINATING
            >> ...
            > With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
            > are allowed before STARTTLS. The other commands will be rejected,
            > but of course we can't prevent the client from sending them.
            I said Postfix accepts the MAIL FROM command before user authentication,
            not before STARTTLS.
            >> With this configuration, messages can only be submitted through port
            >> 587 after an encrypted connection has been established and user
            >> authentication has succeded. So users need to authenticate
            >> themselves in order to send emails. Nevertheless, Postfix accepts
            >> the MAIL FROM command before authentication.
            > Show real evidence of this, after making sure your master.cf file
            > reflects run-time reality (postfix stop/start or at least reload).
            >
            Of course master.cf reflects run-time reality. Follows the real evidence
            which you can reproduce by yourself. If you remove all client
            restrictions ( -o smtpd_client_restrictions=) from my configuration and
            issue

            openssl s_client -connect host:587 -starttls smtp

            you get

            250 DSN
            mail from:<marescot@...>
            250 2.1.0 Ok
            rcpt to:<marescot@...>
            250 2.1.5 Ok
            data
            354 End data with <CR><LF>.<CR><LF>
            Hi, this is a test.
            .
            250 2.0.0 Ok: queued as ...

            and the message is sent.

            If you keep client restrictions ( -o
            smtpd_client_restrictions=permit_sasl_authenticated,reject ) and issue
            the same command as above, you get instead

            250 DSN
            mail from:<marescot@...>
            250 2.1.0 Ok
            rcpt to:<marescot@...>
            554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied

            because user authentication is now required. I simply wondered why the
            client is rejected after "rcpt to" and not just after "mail from". Maybe
            there is no configuration which allows for rejecting an unauthenticated
            client after the first command. I asked because you are certainly more
            familiar than me with Postfix configuration options. Thank you anyway.

            Matteo
          • Reindl Harald
            ... because it is a really stupid idea to reject too soon and after that missing informations from logfiles which can be helpful if your user calls you for
            Message 5 of 14 , Mar 19, 2013
              Am 19.03.2013 18:47, schrieb Matteo Marescotti:
              > 250 DSN
              > mail from:<marescot@...>
              > 250 2.1.0 Ok
              > rcpt to:<marescot@...>
              > 554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied
              >
              > because user authentication is now required. I simply wondered why the client is rejected after "rcpt to" and not
              > just after "mail from". Maybe there is no configuration which allows for rejecting an unauthenticated client after
              > the first command. I asked because you are certainly more familiar than me with Postfix configuration options.
              > Thank you anyway

              because it is a really stupid idea to reject too soon and
              after that missing informations from logfiles which can
              be helpful if your user calls you for support or you
              want provide the user actively support

              iPhones as exmaple are here regulary clients losing for
              whatever reason the auth-settings and try for weeks
              and months to submit the same message

              in such cases it is helful provide the user a logentry
              with MAIL FROM and MAIL TO because he thinks the
              message was sent
            • Viktor Dukhovni
              ... Sorry, I misread your post, I am too focused on TLS lately, yes rejection of transactions is deliberately delayed to RCPT TO, this makes it possible to
              Message 6 of 14 , Mar 19, 2013
                On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:

                > Il 19/03/2013 17:41, Viktor Dukhovni wrote:
                > >On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
                > >
                > >>submission inet n - - - - smtpd
                > >> -o smtpd_tls_security_level=encrypt
                > >> -o smtpd_sasl_auth_enable=yes
                > >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                > >> -o milter_macro_daemon_name=ORIGINATING
                > >>...
                > >
                > >With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
                > >are allowed before STARTTLS. The other commands will be rejected,
                > >but of course we can't prevent the client from sending them.

                > I said Postfix accepts the MAIL FROM command before user
                > authentication, not before STARTTLS.

                Sorry, I misread your post, I am too focused on TLS lately, yes
                rejection of transactions is deliberately delayed to RCPT TO, this
                makes it possible to later figure out what was being rejected.
                A good MTA produces a good audit trail.

                --
                Viktor.
              • Matteo Marescotti
                ... I was sure there was a very good reason for that. Thank you very much to everybody. I learned something I could not figure out by myself. Matteo
                Message 7 of 14 , Mar 19, 2013
                  Il 19/03/2013 19:30, Viktor Dukhovni ha scritto:
                  > On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:
                  >
                  >> Il 19/03/2013 17:41, Viktor Dukhovni wrote:
                  >>> On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
                  >>>
                  >>>> submission inet n - - - - smtpd
                  >>>> -o smtpd_tls_security_level=encrypt
                  >>>> -o smtpd_sasl_auth_enable=yes
                  >>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                  >>>> -o milter_macro_daemon_name=ORIGINATING
                  >>>> ...
                  >>> With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
                  >>> are allowed before STARTTLS. The other commands will be rejected,
                  >>> but of course we can't prevent the client from sending them.
                  >> I said Postfix accepts the MAIL FROM command before user
                  >> authentication, not before STARTTLS.
                  > Sorry, I misread your post, I am too focused on TLS lately, yes
                  > rejection of transactions is deliberately delayed to RCPT TO, this
                  > makes it possible to later figure out what was being rejected.
                  > A good MTA produces a good audit trail.
                  >
                  I was sure there was a very good reason for that. Thank you very much to
                  everybody. I learned something I could not figure out by myself.

                  Matteo
                Your message has been successfully submitted and would be delivered to recipients shortly.