Loading ...
Sorry, an error occurred while loading the content.
 

smtp auth

Expand Messages
  • Fabrizio Monti
    hello to all, I can not understand: I would like to enable authentication on port 25 to prevent my server was used as a free smtp, I configured, by the book,
    Message 1 of 12 , Jun 25, 2013
      hello to all,
      I can not understand: I would like to enable authentication on port 25 to prevent my server was used as a free smtp, I configured, by the book, postfix, if I connect to telnet gives me back

      Escape character is '^]'.
      220 example.com ESMTP Postfix
      ehlo example.com
      250-test.example.com
      250-PIPELINING
      250-SIZE 15360000
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-AUTH PLAIN LOGIN
      250-AUTH=PLAIN LOGIN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN


      but when I try to send mail from client using port 25 without authentication and sends the email to me, I do not want this, I do not want it to work! Where am I doing wrong? Risce someone to tell me where I'm wrong?


      this is configuration of main.cf:

      smtpd_sasl_auth_enable = yes
      broken_sasl_auth_clients = yes
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth
      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
      #
      smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
      smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
      smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
      smtpd_use_tls=yes
      smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
      smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
      smtpd_tls_loglevel = 1

      this is configuration of master.cf

      smtp      inet  n       -       n       -       -       smtpd
      submission inet n - - - - smtpd
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        -o smtpd_sasl_security_options=noanonymous
        -o smtpd_sasl_local_domain=$myhostname
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-user.cf
        -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject




      Thanks a lot,
      Fabrizio.

    • Fabrizio Monti
      All this because I have problems with my mail server, I have been using as smtp relay, how can I prevent sending email on port 25 and at the same time able to
      Message 2 of 12 , Jun 25, 2013
        All this because I have problems with my mail server, I have been using as smtp relay, how can I prevent sending email on port 25 and at the same time able to receive mail on port 25?


        2013/6/25 Fabrizio Monti <thefantaman@...>
        hello to all,
        I can not understand: I would like to enable authentication on port 25 to prevent my server was used as a free smtp, I configured, by the book, postfix, if I connect to telnet gives me back

        Escape character is '^]'.
        220 example.com ESMTP Postfix
        ehlo example.com
        250-test.example.com
        250-PIPELINING
        250-SIZE 15360000
        250-VRFY
        250-ETRN
        250-STARTTLS
        250-AUTH PLAIN LOGIN
        250-AUTH=PLAIN LOGIN
        250-ENHANCEDSTATUSCODES
        250-8BITMIME
        250 DSN


        but when I try to send mail from client using port 25 without authentication and sends the email to me, I do not want this, I do not want it to work! Where am I doing wrong? Risce someone to tell me where I'm wrong?


        this is configuration of main.cf:

        smtpd_sasl_auth_enable = yes
        broken_sasl_auth_clients = yes
        smtpd_sasl_type = dovecot
        smtpd_sasl_path = private/auth
        smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
        #
        smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
        smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
        smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
        smtpd_use_tls=yes
        smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
        smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
        smtpd_tls_loglevel = 1

        this is configuration of master.cf

        smtp      inet  n       -       n       -       -       smtpd
        submission inet n - - - - smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_type=dovecot
          -o smtpd_sasl_path=private/auth
          -o smtpd_sasl_security_options=noanonymous
          -o smtpd_sasl_local_domain=$myhostname
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-user.cf
          -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject




        Thanks a lot,
        Fabrizio.


      • Jerry
        On Tue, 25 Jun 2013 12:15:28 +0200 ... [snip] ... Please don t use HTML format to send email. Plain ASCII is preferred. While you are at it, lose the the
        Message 3 of 12 , Jun 25, 2013
          On Tue, 25 Jun 2013 12:15:28 +0200
          Fabrizio Monti articulated:

          > > hello to all,
          > > I can not understand: I would like to enable authentication on port
          > > 25 to prevent my server was used as a free smtp, I configured, by
          > > the book, postfix, if I connect to telnet gives me back
          > >
          > > Escape character is '^]'.
          > > 220 example.com ESMTP Postfix
          > > ehlo example.com
          > > 250-test.example.com
          > > 250-PIPELINING
          > > 250-SIZE 15360000
          > > 250-VRFY
          > > 250-ETRN
          > > 250-STARTTLS
          > > 250-AUTH PLAIN LOGIN
          > > 250-AUTH=PLAIN LOGIN
          > > 250-ENHANCEDSTATUSCODES
          > > 250-8BITMIME
          > > 250 DSN
          > >
          > > but when I try to send mail from client using port 25 without
          > > authentication and sends the email to me, I do not want this, I do
          > > not want it to work! Where am I doing wrong? Risce someone to tell
          > > me where I'm wrong?
          > >
          > >
          > > this is configuration of main.cf:

          [snip]

          > All this because I have problems with my mail server, I have been
          > using as smtp relay, how can I prevent sending email on port 25 and
          > at the same time able to receive mail on port 25?

          Please don't use HTML format to send email. Plain ASCII is preferred.
          While you are at it, lose the the tendency to top post. Now, please
          follow the directions you received when you signed up for this list.
          Provide the unaltered output of "postconf -n", not a few select bits.
          See: <http://www.postfix.com/DEBUG_README.html> and specifically,
          <http://www.postfix.com/DEBUG_README.html#mail>.

          --
          Jerry ✌
          postfix-user@...
          _____________________________________________________________________
          TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
          TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
        • Patrick Ben Koetter
          Fabrizio, ... the purpose of an SMTP server is to accept messages for your domains and e.g. route them into your mailbox. There s nothing wrong with this.
          Message 4 of 12 , Jun 25, 2013
            Fabrizio,

            * Fabrizio Monti <thefantaman@...>:
            > hello to all,
            > I can not understand: I would like to enable authentication on port 25
            > to prevent
            > my server was used as a free smtp, I configured, by the book, postfix, if I
            > connect to telnet gives me back
            >
            > Escape character is '^]'.
            > 220 example.com ESMTP Postfix
            > ehlo example.com
            > 250-test.example.com
            > 250-PIPELINING
            > 250-SIZE 15360000
            > 250-VRFY
            > 250-ETRN
            > 250-STARTTLS
            > 250-AUTH PLAIN LOGIN
            > 250-AUTH=PLAIN LOGIN
            > 250-ENHANCEDSTATUSCODES
            > 250-8BITMIME
            > 250 DSN
            >
            >
            > but when I try to send mail from client using port 25 without authentication
            > and sends the email to me, I do not want this, I do not want it to work!
            > Where am I doing wrong? Risce someone to tell me where I'm wrong?

            the purpose of an SMTP server is to accept messages for your domains and e.g.
            route them into your mailbox. There's nothing wrong with this.

            p@rick

            --
            [*] sys4 AG

            http://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Florian Kirstein
          • Fabrizio Monti
            @Jerry ... Sorry, correct it immediately. postconf -n alias_database = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin
            Message 5 of 12 , Jun 25, 2013
              @Jerry

              >Please don't use HTML format to send email. Plain ASCII is preferred.
              Sorry, correct it immediately.


              postconf -n

              alias_database = hash:/etc/aliases
              broken_sasl_auth_clients = yes
              command_directory = /usr/sbin
              config_directory = /etc/postfix
              daemon_directory = /usr/libexec/postfix
              data_directory = /var/lib/postfix
              debug_peer_level = 2
              html_directory = no
              inet_protocols = all
              mail_owner = postfix
              mailq_path = /usr/bin/mailq.postfix
              manpage_directory = /usr/share/man
              message_size_limit = 15360000
              mydestination = localhost
              myhostname = mail3.gisnet.it
              newaliases_path = /usr/bin/newaliases.postfix
              queue_directory = /var/spool/postfix
              readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
              relay_domains = /etc/postfix/rcpthosts
              sample_directory = /usr/share/doc/postfix-2.6.6/samples
              sendmail_path = /usr/sbin/sendmail.postfix
              setgid_group = postdrop
              smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
              smtpd_recipient_restrictions = permit_mynetworks,
              permit_sasl_authenticated, rej
              ect_unauth_destination
              smtpd_sasl_auth_enable = yes
              smtpd_sasl_path = private/auth
              smtpd_sasl_type = dovecot
              smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
              smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
              smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
              smtpd_tls_loglevel = 1
              smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
              smtpd_use_tls = yes
              transport_maps = hash:/etc/postfix/transport
              unknown_local_recipient_reject_code = 550
              virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
              virtual_gid_maps = static:8135
              virtual_mailbox_base = /home/vmail
              virtual_minimum_uid = 100
              virtual_uid_maps = static:8135

              @Patrick

              > the purpose of an SMTP server is to accept messages for your domains and e.g.
              > route them into your mailbox. There's nothing wrong with this.

              is my English is bad, I have not explained well. I want my postfix
              mail server is an authenticated smtp. In practice now if you configure
              the SMTP client with my server on port 25 with no authentication you
              can use it. Are using it to send spam.
            • Simon B
              ... and e.g. ... On port 25 you accept only mail you are responsible for. On port 587 you accept any mail as long as it s authenticated. If people are sending
              Message 6 of 12 , Jun 25, 2013


                On 25 Jun 2013 15:04, "Fabrizio Monti" <thefantaman@...> wrote:
                >
                > @Jerry
                >
                > >Please don't use HTML format to send email. Plain ASCII is preferred.
                > Sorry, correct it immediately.
                >
                >
                > postconf -n
                >
                > alias_database = hash:/etc/aliases
                > broken_sasl_auth_clients = yes
                > command_directory = /usr/sbin
                > config_directory = /etc/postfix
                > daemon_directory = /usr/libexec/postfix
                > data_directory = /var/lib/postfix
                > debug_peer_level = 2
                > html_directory = no
                > inet_protocols = all
                > mail_owner = postfix
                > mailq_path = /usr/bin/mailq.postfix
                > manpage_directory = /usr/share/man
                > message_size_limit = 15360000
                > mydestination = localhost
                > myhostname = mail3.gisnet.it
                > newaliases_path = /usr/bin/newaliases.postfix
                > queue_directory = /var/spool/postfix
                > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
                > relay_domains = /etc/postfix/rcpthosts
                > sample_directory = /usr/share/doc/postfix-2.6.6/samples
                > sendmail_path = /usr/sbin/sendmail.postfix
                > setgid_group = postdrop
                > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
                > smtpd_recipient_restrictions = permit_mynetworks,
                > permit_sasl_authenticated, rej
                > ect_unauth_destination
                > smtpd_sasl_auth_enable = yes
                > smtpd_sasl_path = private/auth
                > smtpd_sasl_type = dovecot
                > smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
                > smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
                > smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
                > smtpd_tls_loglevel = 1
                > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
                > smtpd_use_tls = yes
                > transport_maps = hash:/etc/postfix/transport
                > unknown_local_recipient_reject_code = 550
                > virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
                > virtual_gid_maps = static:8135
                > virtual_mailbox_base = /home/vmail
                > virtual_minimum_uid = 100
                > virtual_uid_maps = static:8135
                >
                > @Patrick
                >
                > > the purpose of an SMTP server is to accept messages for your domains and e.g.
                > > route them into your mailbox. There's nothing wrong with this.
                >
                > is my English is bad, I have not explained well. I want my postfix
                > mail server is an authenticated smtp. In practice now if you configure
                > the SMTP client with my server on port 25 with no authentication you
                > can use it. Are using it to send spam.

                On port 25 you accept only mail you are responsible for.

                On port 587 you accept any mail as long as it's authenticated.

                If people are sending spam through port 25, you're an open relay. Smtp auth is not the answer you want.

                Simon

              • Wietse Venema
                ... If you don t want to receive mail from the Internet, turn off the port 25 (smtp) service in master.cf. /etc/postfix/master.cf: #smtp inet n -
                Message 7 of 12 , Jun 25, 2013
                  Fabrizio Monti:
                  > > but when I try to send mail from client using port 25 without
                  > > authentication and sends the email to me, I do not want this, I do not
                  > > want it to work! Where am I doing wrong? Risce someone to tell me where
                  > > I'm wrong?

                  If you don't want to receive mail from the Internet, turn off the
                  port 25 (smtp) service in master.cf.

                  /etc/postfix/master.cf:
                  #smtp inet n - n - - smtpd

                  Use the master.cf port 25 (smtp) service to receive and deliver
                  mail for your domain from the Internet.

                  Use the master.cf port 587 (submission) service to receive (and
                  relay or deliver) mail from authenticated users.

                  Wietse
                • Fabrizio Monti
                  Ok, thanks to everyone for their helpful advice, were all valuable. I did some testing and I determined that if I configure the SMTP mail client on port 25 can
                  Message 8 of 12 , Jun 27, 2013
                    Ok, thanks to everyone for their helpful advice, were all valuable. I
                    did some testing and I determined that if I configure the SMTP mail
                    client on port 25 can send e-mails only for my domains. But if I
                    connect to telnet on port 25 I can send emails to all the domains. I
                    can stop this?
                  • /dev/rob0
                    ... First, that does not make sense. Telnet on port 25 is the same as any MUA, it s just a means to speak SMTP to a SMTP server. There s no fundamental
                    Message 9 of 12 , Jun 27, 2013
                      On Thu, Jun 27, 2013 at 09:51:50AM +0200, Fabrizio Monti wrote:
                      > I did some testing and I determined that if I configure the SMTP
                      > mail client on port 25 can send e-mails only for my domains.
                      > But if I connect to telnet on port 25 I can send emails to all
                      > the domains. I can stop this?

                      First, that does not make sense. "Telnet on port 25" is the same as
                      any MUA, it's just a means to speak SMTP to a SMTP server. There's
                      no fundamental difference between a MUA and someone using telnet to
                      speak SMTP, except perhaps that the MUA is faster and makes no
                      errors.

                      Second, IIUC what you are saying, it could be that the MUA is
                      configured to AUTH, and when AUTH is refused it rightly goes away.
                      I'll go further to venture a guess that your telnet client's IP
                      address is in $mynetworks, and that you neglected to remove
                      "permit_mynetworks" from your recipient (or relay) restrictions.

                      We have no way to see what you have configured! We can't read your
                      logs. If you want help you have to SHOW us these things.

                      http://www.postfix.org/DEBUG_README.html#mail

                      See also:

                      http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
                      http://www.postfix.org/postconf.5.html#permit_mynetworks

                      http://www.postfix.org/SASL_README.html#server_sasl_authz
                      --
                      http://rob0.nodns4.us/ -- system administration and consulting
                      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                    • Fabrizio Monti
                      @/dev/rob0, you re right that it makes no sense: I wrote a huge stupid, it s working properly!! You ignore the previous email, now go outside and get some
                      Message 10 of 12 , Jun 27, 2013
                        @/dev/rob0, you're right that it makes no sense: I wrote a huge
                        stupid, it's working properly!! You ignore the previous email, now go
                        outside and get some fresh air, but I take so much!!!

                        Thank you so much to all of the aid that you gave me!

                        2013/6/27 /dev/rob0 <rob0@...>:
                        > On Thu, Jun 27, 2013 at 09:51:50AM +0200, Fabrizio Monti wrote:
                        >> I did some testing and I determined that if I configure the SMTP
                        >> mail client on port 25 can send e-mails only for my domains.
                        >> But if I connect to telnet on port 25 I can send emails to all
                        >> the domains. I can stop this?
                        >
                        > First, that does not make sense. "Telnet on port 25" is the same as
                        > any MUA, it's just a means to speak SMTP to a SMTP server. There's
                        > no fundamental difference between a MUA and someone using telnet to
                        > speak SMTP, except perhaps that the MUA is faster and makes no
                        > errors.
                        >
                        > Second, IIUC what you are saying, it could be that the MUA is
                        > configured to AUTH, and when AUTH is refused it rightly goes away.
                        > I'll go further to venture a guess that your telnet client's IP
                        > address is in $mynetworks, and that you neglected to remove
                        > "permit_mynetworks" from your recipient (or relay) restrictions.
                        >
                        > We have no way to see what you have configured! We can't read your
                        > logs. If you want help you have to SHOW us these things.
                        >
                        > http://www.postfix.org/DEBUG_README.html#mail
                        >
                        > See also:
                        >
                        > http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
                        > http://www.postfix.org/postconf.5.html#permit_mynetworks
                        >
                        > http://www.postfix.org/SASL_README.html#server_sasl_authz
                        > --
                        > http://rob0.nodns4.us/ -- system administration and consulting
                        > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                      Your message has been successfully submitted and would be delivered to recipients shortly.