Loading ...
Sorry, an error occurred while loading the content.

Setting up secure submission for remote users

Expand Messages
  • LuKreme
    I ve long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I ve setup postfix 2.8.14 I want to also setup
    Message 1 of 12 , Apr 7, 2013
    • 0 Attachment
      I've long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I've setup postfix 2.8.14 I want to also setup secure submission on port 587 with ssl and something like Kerberos 5 or MD5 challenge/response (or, frankly, even password) over SSL.

      I built postfix with:

      make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl' 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto -L/usr/local/lib -lsasl2'

      Seems to work:
      # postconf -a
      cyrus
      dovecot
      # postconf -A
      cyrus

      Also, the SASL Readme says:
      Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/.
      Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.

      (I am running 2.1.22_2)

      But of course, my configuration is in /usr/local/lib/sasl2/ as in the make line, should I link this directory to /etc/?

      my saslauthd process looks like:

      /usr/local/sbin/saslauthd -a pam -m /var/run/authdaemond

      but

      # testsaslauthd -u <user> -p <password>
      connect() : No such file or directory

      On the other hand, all the LOGIN lines in postfix are from ssl.

      # cat /usr/local/lib/sasl2/smtpd.conf
      pwcheck_method: authdaemond
      mech_list: PLAIN LOGIN
      authdaemond_path=/var/run/authdaemond/socket
      log_level: 3

      I haven't enabled any sasl settings in postfix yet, because I don't think the back-end is actually working for it, though TLS is working for stmpd at least.

      postconf -n
      alias_database = hash:$config_directory/aliases
      alias_maps = hash:$config_directory/aliases, hash:/usr/local/mailman/data/aliases
      allow_percent_hack = no
      body_checks = pcre:$config_directory/body_checks.pcre
      bounce_size_limit = 10240
      command_directory = /usr/local/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/local/libexec/postfix
      data_directory = /var/db/postfix
      debug_peer_level = 2
      disable_vrfy_command = yes
      header_checks = pcre:$config_directory/header_checks.pcre
      header_size_limit = 10240
      home_mailbox = Maildir/
      html_directory = /usr/local/share/doc/postfix
      inet_interfaces = all
      mail_owner = postfix
      mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION
      mailbox_size_limit = 52428800
      mailq_path = /usr/local/bin/mailq
      manpage_directory = /usr/local/man
      maps_rbl_reject_code = 521
      message_size_limit = 26214400
      mime_header_checks = pcre:$config_directory/mime_headers.pcre
      mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost, ns1.$mydomain, ns2.$mydomain, mail.$mydomain, www.$mydomain, webmail.$mydomain
      mydomain = covisp.net
      myhostname = mail.covisp.net
      mynetworks = 75.148.117.88/29, 127.0.0.0/8
      myorigin = $mydomain
      newaliases_path = /usr/local/bin/newaliases
      postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr
      postscreen_dnsbl_sites = zen.spamhaus.org*2
      queue_directory = /var/spool/postfix
      readme_directory = /usr/local/share/doc/postfix
      recipient_delimiter = +
      sample_directory = /usr/local/etc/postfix
      sendmail_path = /usr/local/sbin/sendmail
      setgid_group = maildrop
      show_user_unknown_table_name = no
      smtpd_banner = $myhostname ESMTP $mail_name $mail_version
      smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit
      smtpd_error_sleep_time = 28
      smtpd_hard_error_limit = 8
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
      smtpd_recipient_limit = 100
      smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit
      smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, permit_mynetworks
      smtpd_soft_error_limit = 4
      smtpd_starttls_timeout = 90s
      smtpd_tls_cert_file = /etc/postfix/server.pem
      smtpd_tls_key_file = $smtpd_tls_cert_file
      smtpd_tls_loglevel = 2
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions
      smtpd_tls_session_cache_timeout = 1800s
      soft_bounce = no
      swap_bangpath = no
      transport_maps = hash:/etc/postfix/transport
      undisclosed_recipients_header = To: List of Bcc addresses:;
      unknown_local_recipient_reject_code = 550
      virtual_alias_domains = kreme.com
      virtual_alias_maps = hash:$config_directory/virtual pcre:$config_directory/virtual.pcre, pcre:$config_directory/virtual_sql.pcre, proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
      virtual_gid_maps = static:89
      virtual_mailbox_base = /usr/local/virtual
      virtual_mailbox_domains = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
      virtual_mailbox_maps = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 89
      virtual_transport = procmail
      virtual_uid_maps = static:89



      --
      I'm not old, I'm chronologically challenged.
    • LuKreme
      ... one other thing I might have mentioned: # cat /usr/local/etc/authlib/authdaemonrc |egrep -v ^$|^# authmodulelist= authmysql authpam
      Message 2 of 12 , Apr 7, 2013
      • 0 Attachment
        In our previous episode (Sunday, 07-Apr-2013), LuKreme said:
        > /usr/local/sbin/saslauthd -a pam -m /var/run/authdaemond

        one other thing I might have mentioned:

        # cat /usr/local/etc/authlib/authdaemonrc |egrep -v "^$|^#"
        authmodulelist="authmysql authpam"
        version="authdaemond.mysql"
        authmodulelistorig="authuserdb authvchkpw authpam authldap authmysql authpgsql"
        daemons=5
        authdaemonvar=/var/run/authdaemond
        subsystem=mail
        DEBUG_LOGIN=0
        DEFAULTOPTIONS="wbnodsn=1"
        LOGGEROPTS=""

        This was setup years ago because some users are local (/usr/locale/etc/pam.d/) and some are mysql users.

        --
        No one ever thinks of themselves as one of Them. We're always one of Us.
        It's Them that do the bad things.
      • Jeroen Geilman
        ... I would personally recommend using dovecot for SASL, especially if you don t need client SASL (from postfix to remote servers); dovecot is way, way easier
        Message 3 of 12 , Apr 8, 2013
        • 0 Attachment
          On 04/08/2013 01:32 AM, LuKreme wrote:
          > I've long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I've setup postfix 2.8.14 I want to also setup secure submission on port 587 with ssl and something like Kerberos 5 or MD5 challenge/response (or, frankly, even password) over SSL.
          >
          > I built postfix with:
          >
          > make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl' 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto -L/usr/local/lib -lsasl2'
          >
          > Seems to work:
          > # postconf -a
          > cyrus
          > dovecot
          > # postconf -A
          > cyrus
          >
          > Also, the SASL Readme says:
          > Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/.
          > Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.
          >
          > (I am running 2.1.22_2)

          I would personally recommend using dovecot for SASL, especially if you
          don't need client SASL (from postfix to remote servers); dovecot is way,
          way easier to set up, and evolves quite nicely.

          It's also ridiculously easy to set up from scratch:

          http://www.postfix.org/SASL_README.html#server_dovecot


          > postconf -n
          > smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit
          > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
          > smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit
          > smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, permit_mynetworks

          Submission should disable all of the above (in master.cf) except
          "smtpd_recipient_restrictions=permit_sasl_authenticated,reject".
          You can prefix that with any reject_ restrictions you wish to impose on
          your users, such as a proper sender- and/or recipient domain.
          The clue is that there should be no permit_ rules before /or/ after
          permit_sasl_authenticated, and the last rule should be an explicit "reject".

          --
          J.
        • LuKreme
          ... My hesitation is that I already have an auth system setup and I hate to end up in a position where either it s no longer working or I have to have everyone
          Message 4 of 12 , Apr 11, 2013
          • 0 Attachment
            On Apr 8, 2013, at 13:26, Jeroen Geilman <jeroen@...> wrote:

            > I would personally recommend using dovecot for SASL, especially if you don't need client SASL (from postfix to remote servers); dovecot is way, way easier to set up, and evolves quite nicely

            My hesitation is that I already have an auth system setup and I hate to end up in a position where either it's no longer working or I have to have everyone reset their passwords.

            OTOH, I can't get PBS to work at all with 2.8 (they disagree over the db file format), but that is not necessarily a bad thing. I added my fixed IP for my home server to mynetworks, and anyone else can use webmail if they can't send via their ISP/gmail I guess.
          • LuKreme
            ... Quick question on this, not ever a permit mynetworks? (I mean, I can t think of a reason mynetworks would need to use submission, but is there any reason
            Message 5 of 12 , Apr 11, 2013
            • 0 Attachment
              On Apr 8, 2013, at 13:26, Jeroen Geilman <jeroen@...> wrote:

              > The clue is that there should be no permit_ rules before /or/ after permit_sasl_authenticated, and the last rule should be an explicit "reject".

              Quick question on this, not ever a permit mynetworks?

              (I mean, I can't think of a reason mynetworks would need to use submission, but is there any reason not to allow it?)
            • Reindl Harald
              ... mynetworks may be OK in most cases but * without authentication use port 25 and mynetworks * if a client is using submission it is good practice to have a
              Message 6 of 12 , Apr 11, 2013
              • 0 Attachment
                Am 12.04.2013 00:04, schrieb LuKreme:
                > On Apr 8, 2013, at 13:26, Jeroen Geilman <jeroen@...> wrote:
                >
                >> The clue is that there should be no permit_ rules before /or/ after permit_sasl_authenticated, and the last rule should be an explicit "reject".
                >
                > Quick question on this, not ever a permit mynetworks?
                >
                > (I mean, I can't think of a reason mynetworks would need to use submission, but is there any reason not to allow it?)

                mynetworks may be OK in most cases but

                * without authentication use port 25 and mynetworks
                * if a client is using submission it is good practice to have a user in the logs

                mynetworks should be genrally used with care and only for specific
                address instead whole networks with sooner or later potentially
                infected clients which can be banned if using auth even if the
                malware leaks auth data and abuse it from outside
              • LuKreme
                Reindl Harald opined on Thursday 11-Apr-2013@16:58:28 ... Mynetworks currently contains the mail server, the webmail server, and my home fixed IP since I do
                Message 7 of 12 , Apr 11, 2013
                • 0 Attachment
                  Reindl Harald opined on Thursday 11-Apr-2013@16:58:28
                  > mynetworks should be genrally used with care and only for specific
                  > address instead whole networks with sooner or later potentially
                  > infected clients which can be banned if using auth even if the
                  > malware leaks auth data and abuse it from outside

                  Mynetworks currently contains the mail server, the webmail server, and my home fixed IP since I do not have secure submission working as of now.

                  I’m reading up on dovecot-1.2.17 and dovecot-2.1.16 and trying to decide if I can switch to either of those without breaking everything. One item of concern was reading a comment that “postfix hands the mail off to dovecot for local delivery” which makes me think I will lose procmail as my LDA. That would be bad.

                  I’m also wondering if I can set dovecot up to only work with port 587 and keep cyrus-sasl for port 993, at least for now. I know it seems redundant, and it would be a stepping stone to ensure that current users are able to connect as they do now. (IMAP-SSL with “Password” for either local users or mysql users).

                  --
                  Man is born free, but is everywhere in chains.
                • btb@...
                  ... i would very strongly encourage you to get a properly configured submission service up and running. it s really not terribly difficult, and there s just
                  Message 8 of 12 , Apr 11, 2013
                  • 0 Attachment
                    On Apr 11, 2013, at 20.11, LuKreme <kremels@...> wrote:

                    > Reindl Harald opined on Thursday 11-Apr-2013@16:58:28
                    >> mynetworks should be genrally used with care and only for specific
                    >> address instead whole networks with sooner or later potentially
                    >> infected clients which can be banned if using auth even if the
                    >> malware leaks auth data and abuse it from outside
                    >
                    > Mynetworks currently contains the mail server, the webmail server, and my home fixed IP since I do not have secure submission working as of now.

                    i would very strongly encourage you to get a properly configured submission service up and running. it's really not terribly difficult, and there's just no reason for a webmail server nor whatever email programs you use at home to not be authenticating. in all honesty, i'm a proponent of doing away with mynetworks entirely, and if truly necessary, using check_client_access instead.

                    > I’m reading up on dovecot-1.2.17 and dovecot-2.1.16 and trying to decide if I can switch to either of those without breaking everything. One item of concern was reading a comment that “postfix hands the mail off to dovecot for local delivery” which makes me think I will lose procmail as my LDA. That would be bad.

                    you can certainly upgrade without breaking everything. as with anything else, it just takes some care and consideration. as far as procmail goes, i'd consider losing procmail to be a benefit. why do you think you need it?

                    > I’m also wondering if I can set dovecot up to only work with port 587 and keep cyrus-sasl for port 993, at least for now. I know it seems redundant, and it would be a stepping stone to ensure that current users are able to connect as they do now. (IMAP-SSL with “Password” for either local users or mysql users).


                    does this mean that you want to use dovecot sasl with postfix, for submission, and cyrus sasl with your imap software? it's certainly possible, but i question the actual benefit.

                    -ben
                  • LuKreme
                    ... Because I use it extensively. ... The only benefit is that it would not change the current login procedures for Courier-IMAP. -- Eureka, he said. Going
                    Message 9 of 12 , Apr 12, 2013
                    • 0 Attachment
                      In our previous episode (Thursday, 11-Apr-2013), btb@... said:
                      > you can certainly upgrade without breaking everything. as with anything else, it just takes some care and consideration. as far as procmail goes, i'd consider losing procmail to be a benefit. why do you think you need it?

                      Because I use it extensively.

                      >> I’m also wondering if I can set dovecot up to only work with port 587 and keep cyrus-sasl for port 993, at least for now. I know it seems redundant, and it would be a stepping stone to ensure that current users are able to connect as they do now. (IMAP-SSL with “Password” for either local users or mysql users).
                      >
                      > does this mean that you want to use dovecot sasl with postfix, for submission, and cyrus sasl with your imap software? it's certainly possible, but i question the actual benefit.

                      The only benefit is that it would not change the current login procedures for Courier-IMAP.

                      --
                      "Eureka," he said. "Going to have a bath then?"
                    • btb
                      ... that s a foregone conclusion. the question is for what do you use it. in the vast majority of cases, sieve can do everything procmail can do. if you
                      Message 10 of 12 , Apr 12, 2013
                      • 0 Attachment
                        On 2013.04.12 07.01, LuKreme wrote:
                        > In our previous episode (Thursday, 11-Apr-2013), btb@...
                        > said:
                        >> you can certainly upgrade without breaking everything. as with
                        >> anything else, it just takes some care and consideration. as far
                        >> as procmail goes, i'd consider losing procmail to be a benefit.
                        >> why do you think you need it?
                        >
                        > Because I use it extensively.

                        that's a foregone conclusion. the question is for what do you use it. in the vast majority of cases, sieve can do everything procmail can do. if you were to switch from courier to dovecot for imap, delivery via lmtp from postfix to dovecot offers a number of benefits, only one of which is easy integration of sieve.

                        -ben
                      • LuKreme
                        ... I ve never used sieve, but have been using procmail for 15 years or so. I use it to sort mail, of course, but also for adding headers, sending copies of
                        Message 11 of 12 , Apr 12, 2013
                        • 0 Attachment
                          On Apr 12, 2013, at 7:10, btb <btb@...> wrote:
                          > On 2013.04.12 07.01, LuKreme wrote:
                          >> In our previous episode (Thursday, 11-Apr-2013), btb@...
                          >> said:
                          >>> you can certainly upgrade without breaking everything. as with
                          >>> anything else, it just takes some care and consideration. as far
                          >>> as procmail goes, i'd consider losing procmail to be a benefit.
                          >>> why do you think you need it?
                          >>
                          >> Because I use it extensively.
                          >
                          > that's a foregone conclusion. the question is for what do you use it. in the vast majority of cases, sieve can do everything procmail can do. if you were to switch from courier to dovecot for imap, delivery via lmtp from postfix to dovecot offers a number of benefits, only one of which is easy integration of sieve.

                          I've never used sieve, but have been using procmail for 15 years or so. I use it to sort mail, of course, but also for adding headers, sending copies of certain mails, altering subject lines, and probably a couple of other things I'm not think of. My procmail recipes tend to span 4 or 5 rc files and several hundred lines. It's not something I think I want to try to redo in sieve.
                        • mouss
                          ... yes, you can install dovecot and disable pop+imap in its configuration (otherwise, it will conflict with your courier setup) and configure postfix to use
                          Message 12 of 12 , Apr 14, 2013
                          • 0 Attachment
                            Le 12/04/2013 02:11, LuKreme a écrit :
                            > Reindl Harald opined on Thursday 11-Apr-2013@16:58:28
                            >> mynetworks should be genrally used with care and only for specific
                            >> address instead whole networks with sooner or later potentially
                            >> infected clients which can be banned if using auth even if the
                            >> malware leaks auth data and abuse it from outside
                            > Mynetworks currently contains the mail server, the webmail server, and my home fixed IP since I do not have secure submission working as of now.
                            >
                            > I’m reading up on dovecot-1.2.17 and dovecot-2.1.16 and trying to decide if I can switch to either of those without breaking everything. One item of concern was reading a comment that “postfix hands the mail off to dovecot for local delivery” which makes me think I will lose procmail as my LDA. That would be bad.
                            >
                            > I’m also wondering if I can set dovecot up to only work with port 587 and keep cyrus-sasl for port 993, at least for now. I know it seems redundant, and it would be a stepping stone to ensure that current users are able to connect as they do now. (IMAP-SSL with “Password” for either local users or mysql users).
                            >


                            yes, you can install dovecot and disable pop+imap in its configuration
                            (otherwise, it will conflict with your courier setup) and configure
                            postfix to use dovecot-auth (that's actually the default). do not
                            configure postfix to deliver mail to dovecot.

                            it should also be possible to use your current user-password database
                            with dovecot.

                            later, you may be able to replace courier with dovecot (to avoid having
                            to manage two solutions. I have nothing against courier!). and over
                            time, you may move more and more procmail rules to postfix, sieve, ...
                            or /dev/null (if they're no more useful).
                          Your message has been successfully submitted and would be delivered to recipients shortly.