Loading ...
Sorry, an error occurred while loading the content.
 

exclude 127.0.0.1 from smtpd_tls_auth_only = yes

Expand Messages
  • Pol Hallen
    Hi all! I forced postfix to uses smtpd_tls_auth_only = yes but I need exclude TLS from 127.0.0.1 I known there s a change to do in master.cf but I don t know
    Message 1 of 12 , Jul 5, 2013
      Hi all!

      I forced postfix to uses smtpd_tls_auth_only = yes

      but I need exclude TLS from 127.0.0.1

      I known there's a change to do in master.cf but I don't know how resolve

      any idea?

      thanks!

      Pol
    • Wietse Venema
      ... To clone the submission service and set smtpd_tls_auth_only=no for connections to 127.0.0.1: /etc/postfix/master.cf 127.0.0.1:submission ...same stuff as
      Message 2 of 12 , Jul 5, 2013
        Pol Hallen:
        > Hi all!
        >
        > I forced postfix to uses smtpd_tls_auth_only = yes
        >
        > but I need exclude TLS from 127.0.0.1
        >
        > I known there's a change to do in master.cf but I don't know how resolve

        To clone the submission service and set "smtpd_tls_auth_only=no"
        for connections to 127.0.0.1:

        /etc/postfix/master.cf
        127.0.0.1:submission ...same stuff as ordinary submission service...
        ... same stuff as ordinary submission service...
        -o smtpd_tls_auth_only=no

        The procedure is similar for the "port 25" service.

        Wietse
      • Viktor Dukhovni
        ... One may then need to make the default submission entry also specify a specific IP address, as listeners on 0.0.0.0:port exclude listeners on specific
        Message 3 of 12 , Jul 5, 2013
          On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:

          > To clone the submission service and set "smtpd_tls_auth_only=no"
          > for connections to 127.0.0.1:
          >
          > /etc/postfix/master.cf
          > 127.0.0.1:submission ...same stuff as ordinary submission service...
          > ... same stuff as ordinary submission service...
          > -o smtpd_tls_auth_only=no

          One may then need to make the default submission entry also specify a
          specific IP address, as listeners on 0.0.0.0:port exclude listeners on
          specific addresses on most systems.

          192.0.2.1:submission ...ordinary submission service...
          ... ordinary submission service...

          127.0.0.1:submission ...same stuff as ordinary submission service...
          ... same stuff as ordinary submission service...
          -o smtpd_tls_auth_only=no

          where 192.0.2.1 is a hypothetical real IP address of the host.

          --
          Viktor.
        • Pol Hallen
          Thanks for your reply :-) I added 127.0.0.1:submission inet n - - - - smtpd -o smtpd_tls_auth_only=no to master.cf but I ve same
          Message 4 of 12 , Jul 5, 2013
            Thanks for your reply :-)

            I added

            127.0.0.1:submission inet n - - - - smtpd
            -o smtpd_tls_auth_only=no


            to master.cf but I've same problem...

            thanks

            Pol
          • Wietse Venema
            ... That is not needed. The more specific binding to 127.0.0.1 takes precedence over the unspecific binding to 0.0.0.0. Wietse
            Message 5 of 12 , Jul 5, 2013
              Viktor Dukhovni:
              > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
              >
              > > To clone the submission service and set "smtpd_tls_auth_only=no"
              > > for connections to 127.0.0.1:
              > >
              > > /etc/postfix/master.cf
              > > 127.0.0.1:submission ...same stuff as ordinary submission service...
              > > ... same stuff as ordinary submission service...
              > > -o smtpd_tls_auth_only=no
              >
              > One may then need to make the default submission entry also specify a
              > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
              > specific addresses on most systems.

              That is not needed. The more specific binding to 127.0.0.1 takes
              precedence over the unspecific binding to 0.0.0.0.

              Wietse
            • Viktor Dukhovni
              ... Linux forbids bindings to 127.0.0.1 when a wildcard binding exists, you re probably testing on a FreeBSD system. linux# showsock() { lsof -n -P -i
              Message 6 of 12 , Jul 5, 2013
                On Fri, Jul 05, 2013 at 04:00:44PM -0400, Wietse Venema wrote:
                > Viktor Dukhovni:
                > > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
                > >
                > > > To clone the submission service and set "smtpd_tls_auth_only=no"
                > > > for connections to 127.0.0.1:
                > > >
                > > > /etc/postfix/master.cf
                > > > 127.0.0.1:submission ...same stuff as ordinary submission service...
                > > > ... same stuff as ordinary submission service...
                > > > -o smtpd_tls_auth_only=no
                > >
                > > One may then need to make the default submission entry also specify a
                > > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
                > > specific addresses on most systems.
                >
                > That is not needed. The more specific binding to 127.0.0.1 takes
                > precedence over the unspecific binding to 0.0.0.0.

                Linux forbids bindings to 127.0.0.1 when a wildcard binding exists,
                you're probably testing on a FreeBSD system.

                linux# showsock() { lsof -n -P -i tcp:12345; }; printf "\nBEGIN\n"; showsock; for ip in 0.0.0.0 127.0.0.1; do printf "\nIP: $ip\n"; strace -e bind perl -e 'use IO::Socket; my $s = IO::Socket::INET->new(Listen=>1, LocalAddr => shift(@ARGV), LocalPort => 12345, Reuse => 1) or die "bind: $!\n"; select(undef, undef, undef, 5);' $ip & sleep 1; done; printf "\nEND\n"; showsock
                BEGIN

                IP: 0.0.0.0 [1] 19129
                bind(3, {sa_family=AF_INET, sin_port=htons(12345), sin_addr=inet_addr("0.0.0.0")}, 16) = 0

                IP: 127.0.0.1
                [2] 19132
                bind(3, {sa_family=AF_INET, sin_port=htons(12345), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EADDRINUSE (Address already in use)
                bind: Address already in use
                [2]+ Exit 98 strace -e bind perl -e 'use IO::Socket; my $s = IO::Socket::INET->new(Listen=>1, LocalAddr => shift(@ARGV), LocalPort => 12345, Reuse => 1) or die "bind: $!\n"; select(undef, undef, undef, 5);' $ip

                END
                COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
                perl 19131 root 3u IPv4 35552265 0t0 TCP *:12345 (LISTEN)

                --
                Viktor.
              • Wietse Venema
                ... I know that this behavior (a specific bind prevails over a wild-card bind for all interface addresses) pre-dates FreeBSD by many years. I see the same
                Message 7 of 12 , Jul 5, 2013
                  Viktor Dukhovni:
                  > On Fri, Jul 05, 2013 at 04:00:44PM -0400, Wietse Venema wrote:
                  > > Viktor Dukhovni:
                  > > > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
                  > > >
                  > > > > To clone the submission service and set "smtpd_tls_auth_only=no"
                  > > > > for connections to 127.0.0.1:
                  > > > >
                  > > > > /etc/postfix/master.cf
                  > > > > 127.0.0.1:submission ...same stuff as ordinary submission service...
                  > > > > ... same stuff as ordinary submission service...
                  > > > > -o smtpd_tls_auth_only=no
                  > > >
                  > > > One may then need to make the default submission entry also specify a
                  > > > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
                  > > > specific addresses on most systems.
                  > >
                  > > That is not needed. The more specific binding to 127.0.0.1 takes
                  > > precedence over the unspecific binding to 0.0.0.0.
                  >
                  > Linux forbids bindings to 127.0.0.1 when a wildcard binding exists,
                  > you're probably testing on a FreeBSD system.

                  I know that this behavior (a specific bind prevails over a wild-card
                  bind for all interface addresses) pre-dates FreeBSD by many years.
                  I see the same behavior on Solaris:

                  UID PID PPID C STIME TTY TIME CMD
                  ...
                  postfix 1249 352 0 18:16:56 ? 0:00 smtpd -n 127.0.0.1:smtp ...
                  postfix 1254 352 0 18:17:03 ? 0:00 smtpd -n smtp ...

                  Ditto for other interface addresses.

                  Wietse
                • Pol Hallen
                  Thanks all for replies :-) I use linux. So, what should be do? I m confused :-/ How clone submission service? thanks for help Pol
                  Message 8 of 12 , Jul 6, 2013
                    Thanks all for replies :-) I use linux.

                    So, what should be do? I'm confused :-/

                    How clone submission service?

                    thanks for help

                    Pol
                  • lists@rhsoft.net
                    ... * /etc/postfix.master.cf * copy the submission line * change submission to 127.0.0.1:588 * add -o smtpd_tls_auth_only = no as param * with -o
                    Message 9 of 12 , Jul 6, 2013
                      Am 06.07.2013 15:46, schrieb Pol Hallen:
                      > Thanks all for replies :-) I use linux.
                      >
                      > So, what should be do? I'm confused :-/
                      >
                      > How clone submission service?

                      * /etc/postfix.master.cf
                      * copy the submission line
                      * change "submission" to 127.0.0.1:588
                      * add "-o smtpd_tls_auth_only = no" as param
                      * with "-o smtpd_*=value" you can override any config param
                      * configure the local client to use port 588 instead the normal 587
                    • Viktor Dukhovni
                      ... I already answered this question, in my original follow-up to Wietse s advice, which indeed works on Solaris, and various other systems, but not on Linux
                      Message 10 of 12 , Jul 6, 2013
                        On Sat, Jul 06, 2013 at 03:46:48PM +0200, Pol Hallen wrote:

                        > So, what should be do? I'm confused :-/
                        >
                        > How clone submission service?

                        I already answered this question, in my original follow-up to
                        Wietse's advice, which indeed works on Solaris, and various other
                        systems, but not on Linux where wildcard listeners preclude
                        per-address listeners on the same port (otherwise an X11 server
                        listening on port 6000 may be intercepted by rogue listeners that
                        listen on port 6000 at each of the machine's actual interface
                        addresses). So the Linux behaviour is actually sensible for a
                        change :-)

                        --
                        Viktor.
                      • Wietse Venema
                        ... I don t buy that argument. If their purpose was to address rogue listeners, then they would have compared the UIDs that create the sockets. As it is now,
                        Message 11 of 12 , Jul 6, 2013
                          Viktor Dukhovni:
                          > On Sat, Jul 06, 2013 at 03:46:48PM +0200, Pol Hallen wrote:
                          >
                          > > So, what should be do? I'm confused :-/
                          > >
                          > > How clone submission service?
                          >
                          > I already answered this question, in my original follow-up to
                          > Wietse's advice, which indeed works on Solaris, and various other
                          > systems, but not on Linux where wildcard listeners preclude
                          > per-address listeners on the same port (otherwise an X11 server
                          > listening on port 6000 may be intercepted by rogue listeners that
                          > listen on port 6000 at each of the machine's actual interface
                          > addresses). So the Linux behaviour is actually sensible for a
                          > change :-)

                          I don't buy that argument. If their purpose was to address rogue
                          listeners, then they would have compared the UIDs that create the
                          sockets.

                          As it is now, no user, not even root, can override their own wildcard
                          bind with a more specific bind. And that is a bug.

                          Wietse
                        • Pol Hallen
                          ... thanks all for help! :-) I uncannily solved put may rather than encrypted Pol
                          Message 12 of 12 , Jul 7, 2013
                            > As it is now, no user, not even root, can override their own wildcard
                            > bind with a more specific bind. And that is a bug.

                            thanks all for help! :-)

                            I uncannily solved put "may" rather than "encrypted"

                            Pol
                          Your message has been successfully submitted and would be delivered to recipients shortly.