Loading ...
Sorry, an error occurred while loading the content.
 

Re: SMTP authentication

Expand Messages
  • Matteo Marescotti
    ... I said Postfix accepts the MAIL FROM command before user authentication, not before STARTTLS. ... Of course master.cf reflects run-time reality. Follows
    Message 1 of 14 , Mar 19, 2013
      Il 19/03/2013 17:41, Viktor Dukhovni wrote:
      > On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
      >
      >> submission inet n - - - - smtpd
      >> -o smtpd_tls_security_level=encrypt
      >> -o smtpd_sasl_auth_enable=yes
      >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      >> -o milter_macro_daemon_name=ORIGINATING
      >> ...
      > With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
      > are allowed before STARTTLS. The other commands will be rejected,
      > but of course we can't prevent the client from sending them.
      I said Postfix accepts the MAIL FROM command before user authentication,
      not before STARTTLS.
      >> With this configuration, messages can only be submitted through port
      >> 587 after an encrypted connection has been established and user
      >> authentication has succeded. So users need to authenticate
      >> themselves in order to send emails. Nevertheless, Postfix accepts
      >> the MAIL FROM command before authentication.
      > Show real evidence of this, after making sure your master.cf file
      > reflects run-time reality (postfix stop/start or at least reload).
      >
      Of course master.cf reflects run-time reality. Follows the real evidence
      which you can reproduce by yourself. If you remove all client
      restrictions ( -o smtpd_client_restrictions=) from my configuration and
      issue

      openssl s_client -connect host:587 -starttls smtp

      you get

      250 DSN
      mail from:<marescot@...>
      250 2.1.0 Ok
      rcpt to:<marescot@...>
      250 2.1.5 Ok
      data
      354 End data with <CR><LF>.<CR><LF>
      Hi, this is a test.
      .
      250 2.0.0 Ok: queued as ...

      and the message is sent.

      If you keep client restrictions ( -o
      smtpd_client_restrictions=permit_sasl_authenticated,reject ) and issue
      the same command as above, you get instead

      250 DSN
      mail from:<marescot@...>
      250 2.1.0 Ok
      rcpt to:<marescot@...>
      554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied

      because user authentication is now required. I simply wondered why the
      client is rejected after "rcpt to" and not just after "mail from". Maybe
      there is no configuration which allows for rejecting an unauthenticated
      client after the first command. I asked because you are certainly more
      familiar than me with Postfix configuration options. Thank you anyway.

      Matteo
    • Reindl Harald
      ... because it is a really stupid idea to reject too soon and after that missing informations from logfiles which can be helpful if your user calls you for
      Message 2 of 14 , Mar 19, 2013
        Am 19.03.2013 18:47, schrieb Matteo Marescotti:
        > 250 DSN
        > mail from:<marescot@...>
        > 250 2.1.0 Ok
        > rcpt to:<marescot@...>
        > 554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied
        >
        > because user authentication is now required. I simply wondered why the client is rejected after "rcpt to" and not
        > just after "mail from". Maybe there is no configuration which allows for rejecting an unauthenticated client after
        > the first command. I asked because you are certainly more familiar than me with Postfix configuration options.
        > Thank you anyway

        because it is a really stupid idea to reject too soon and
        after that missing informations from logfiles which can
        be helpful if your user calls you for support or you
        want provide the user actively support

        iPhones as exmaple are here regulary clients losing for
        whatever reason the auth-settings and try for weeks
        and months to submit the same message

        in such cases it is helful provide the user a logentry
        with MAIL FROM and MAIL TO because he thinks the
        message was sent
      • Viktor Dukhovni
        ... Sorry, I misread your post, I am too focused on TLS lately, yes rejection of transactions is deliberately delayed to RCPT TO, this makes it possible to
        Message 3 of 14 , Mar 19, 2013
          On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:

          > Il 19/03/2013 17:41, Viktor Dukhovni wrote:
          > >On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
          > >
          > >>submission inet n - - - - smtpd
          > >> -o smtpd_tls_security_level=encrypt
          > >> -o smtpd_sasl_auth_enable=yes
          > >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          > >> -o milter_macro_daemon_name=ORIGINATING
          > >>...
          > >
          > >With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
          > >are allowed before STARTTLS. The other commands will be rejected,
          > >but of course we can't prevent the client from sending them.

          > I said Postfix accepts the MAIL FROM command before user
          > authentication, not before STARTTLS.

          Sorry, I misread your post, I am too focused on TLS lately, yes
          rejection of transactions is deliberately delayed to RCPT TO, this
          makes it possible to later figure out what was being rejected.
          A good MTA produces a good audit trail.

          --
          Viktor.
        • Matteo Marescotti
          ... I was sure there was a very good reason for that. Thank you very much to everybody. I learned something I could not figure out by myself. Matteo
          Message 4 of 14 , Mar 19, 2013
            Il 19/03/2013 19:30, Viktor Dukhovni ha scritto:
            > On Tue, Mar 19, 2013 at 06:47:42PM +0100, Matteo Marescotti wrote:
            >
            >> Il 19/03/2013 17:41, Viktor Dukhovni wrote:
            >>> On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:
            >>>
            >>>> submission inet n - - - - smtpd
            >>>> -o smtpd_tls_security_level=encrypt
            >>>> -o smtpd_sasl_auth_enable=yes
            >>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
            >>>> -o milter_macro_daemon_name=ORIGINATING
            >>>> ...
            >>> With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
            >>> are allowed before STARTTLS. The other commands will be rejected,
            >>> but of course we can't prevent the client from sending them.
            >> I said Postfix accepts the MAIL FROM command before user
            >> authentication, not before STARTTLS.
            > Sorry, I misread your post, I am too focused on TLS lately, yes
            > rejection of transactions is deliberately delayed to RCPT TO, this
            > makes it possible to later figure out what was being rejected.
            > A good MTA produces a good audit trail.
            >
            I was sure there was a very good reason for that. Thank you very much to
            everybody. I learned something I could not figure out by myself.

            Matteo
          Your message has been successfully submitted and would be delivered to recipients shortly.