Loading ...
Sorry, an error occurred while loading the content.

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

Expand Messages
  • Viktor Dukhovni
    ... One may then need to make the default submission entry also specify a specific IP address, as listeners on 0.0.0.0:port exclude listeners on specific
    Message 1 of 12 , Jul 5, 2013
    • 0 Attachment
      On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:

      > To clone the submission service and set "smtpd_tls_auth_only=no"
      > for connections to 127.0.0.1:
      >
      > /etc/postfix/master.cf
      > 127.0.0.1:submission ...same stuff as ordinary submission service...
      > ... same stuff as ordinary submission service...
      > -o smtpd_tls_auth_only=no

      One may then need to make the default submission entry also specify a
      specific IP address, as listeners on 0.0.0.0:port exclude listeners on
      specific addresses on most systems.

      192.0.2.1:submission ...ordinary submission service...
      ... ordinary submission service...

      127.0.0.1:submission ...same stuff as ordinary submission service...
      ... same stuff as ordinary submission service...
      -o smtpd_tls_auth_only=no

      where 192.0.2.1 is a hypothetical real IP address of the host.

      --
      Viktor.
    • Pol Hallen
      Thanks for your reply :-) I added 127.0.0.1:submission inet n - - - - smtpd -o smtpd_tls_auth_only=no to master.cf but I ve same
      Message 2 of 12 , Jul 5, 2013
      • 0 Attachment
        Thanks for your reply :-)

        I added

        127.0.0.1:submission inet n - - - - smtpd
        -o smtpd_tls_auth_only=no


        to master.cf but I've same problem...

        thanks

        Pol
      • Wietse Venema
        ... That is not needed. The more specific binding to 127.0.0.1 takes precedence over the unspecific binding to 0.0.0.0. Wietse
        Message 3 of 12 , Jul 5, 2013
        • 0 Attachment
          Viktor Dukhovni:
          > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
          >
          > > To clone the submission service and set "smtpd_tls_auth_only=no"
          > > for connections to 127.0.0.1:
          > >
          > > /etc/postfix/master.cf
          > > 127.0.0.1:submission ...same stuff as ordinary submission service...
          > > ... same stuff as ordinary submission service...
          > > -o smtpd_tls_auth_only=no
          >
          > One may then need to make the default submission entry also specify a
          > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
          > specific addresses on most systems.

          That is not needed. The more specific binding to 127.0.0.1 takes
          precedence over the unspecific binding to 0.0.0.0.

          Wietse
        • Viktor Dukhovni
          ... Linux forbids bindings to 127.0.0.1 when a wildcard binding exists, you re probably testing on a FreeBSD system. linux# showsock() { lsof -n -P -i
          Message 4 of 12 , Jul 5, 2013
          • 0 Attachment
            On Fri, Jul 05, 2013 at 04:00:44PM -0400, Wietse Venema wrote:
            > Viktor Dukhovni:
            > > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
            > >
            > > > To clone the submission service and set "smtpd_tls_auth_only=no"
            > > > for connections to 127.0.0.1:
            > > >
            > > > /etc/postfix/master.cf
            > > > 127.0.0.1:submission ...same stuff as ordinary submission service...
            > > > ... same stuff as ordinary submission service...
            > > > -o smtpd_tls_auth_only=no
            > >
            > > One may then need to make the default submission entry also specify a
            > > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
            > > specific addresses on most systems.
            >
            > That is not needed. The more specific binding to 127.0.0.1 takes
            > precedence over the unspecific binding to 0.0.0.0.

            Linux forbids bindings to 127.0.0.1 when a wildcard binding exists,
            you're probably testing on a FreeBSD system.

            linux# showsock() { lsof -n -P -i tcp:12345; }; printf "\nBEGIN\n"; showsock; for ip in 0.0.0.0 127.0.0.1; do printf "\nIP: $ip\n"; strace -e bind perl -e 'use IO::Socket; my $s = IO::Socket::INET->new(Listen=>1, LocalAddr => shift(@ARGV), LocalPort => 12345, Reuse => 1) or die "bind: $!\n"; select(undef, undef, undef, 5);' $ip & sleep 1; done; printf "\nEND\n"; showsock
            BEGIN

            IP: 0.0.0.0 [1] 19129
            bind(3, {sa_family=AF_INET, sin_port=htons(12345), sin_addr=inet_addr("0.0.0.0")}, 16) = 0

            IP: 127.0.0.1
            [2] 19132
            bind(3, {sa_family=AF_INET, sin_port=htons(12345), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EADDRINUSE (Address already in use)
            bind: Address already in use
            [2]+ Exit 98 strace -e bind perl -e 'use IO::Socket; my $s = IO::Socket::INET->new(Listen=>1, LocalAddr => shift(@ARGV), LocalPort => 12345, Reuse => 1) or die "bind: $!\n"; select(undef, undef, undef, 5);' $ip

            END
            COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
            perl 19131 root 3u IPv4 35552265 0t0 TCP *:12345 (LISTEN)

            --
            Viktor.
          • Wietse Venema
            ... I know that this behavior (a specific bind prevails over a wild-card bind for all interface addresses) pre-dates FreeBSD by many years. I see the same
            Message 5 of 12 , Jul 5, 2013
            • 0 Attachment
              Viktor Dukhovni:
              > On Fri, Jul 05, 2013 at 04:00:44PM -0400, Wietse Venema wrote:
              > > Viktor Dukhovni:
              > > > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
              > > >
              > > > > To clone the submission service and set "smtpd_tls_auth_only=no"
              > > > > for connections to 127.0.0.1:
              > > > >
              > > > > /etc/postfix/master.cf
              > > > > 127.0.0.1:submission ...same stuff as ordinary submission service...
              > > > > ... same stuff as ordinary submission service...
              > > > > -o smtpd_tls_auth_only=no
              > > >
              > > > One may then need to make the default submission entry also specify a
              > > > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
              > > > specific addresses on most systems.
              > >
              > > That is not needed. The more specific binding to 127.0.0.1 takes
              > > precedence over the unspecific binding to 0.0.0.0.
              >
              > Linux forbids bindings to 127.0.0.1 when a wildcard binding exists,
              > you're probably testing on a FreeBSD system.

              I know that this behavior (a specific bind prevails over a wild-card
              bind for all interface addresses) pre-dates FreeBSD by many years.
              I see the same behavior on Solaris:

              UID PID PPID C STIME TTY TIME CMD
              ...
              postfix 1249 352 0 18:16:56 ? 0:00 smtpd -n 127.0.0.1:smtp ...
              postfix 1254 352 0 18:17:03 ? 0:00 smtpd -n smtp ...

              Ditto for other interface addresses.

              Wietse
            • Pol Hallen
              Thanks all for replies :-) I use linux. So, what should be do? I m confused :-/ How clone submission service? thanks for help Pol
              Message 6 of 12 , Jul 6, 2013
              • 0 Attachment
                Thanks all for replies :-) I use linux.

                So, what should be do? I'm confused :-/

                How clone submission service?

                thanks for help

                Pol
              • lists@rhsoft.net
                ... * /etc/postfix.master.cf * copy the submission line * change submission to 127.0.0.1:588 * add -o smtpd_tls_auth_only = no as param * with -o
                Message 7 of 12 , Jul 6, 2013
                • 0 Attachment
                  Am 06.07.2013 15:46, schrieb Pol Hallen:
                  > Thanks all for replies :-) I use linux.
                  >
                  > So, what should be do? I'm confused :-/
                  >
                  > How clone submission service?

                  * /etc/postfix.master.cf
                  * copy the submission line
                  * change "submission" to 127.0.0.1:588
                  * add "-o smtpd_tls_auth_only = no" as param
                  * with "-o smtpd_*=value" you can override any config param
                  * configure the local client to use port 588 instead the normal 587
                • Viktor Dukhovni
                  ... I already answered this question, in my original follow-up to Wietse s advice, which indeed works on Solaris, and various other systems, but not on Linux
                  Message 8 of 12 , Jul 6, 2013
                  • 0 Attachment
                    On Sat, Jul 06, 2013 at 03:46:48PM +0200, Pol Hallen wrote:

                    > So, what should be do? I'm confused :-/
                    >
                    > How clone submission service?

                    I already answered this question, in my original follow-up to
                    Wietse's advice, which indeed works on Solaris, and various other
                    systems, but not on Linux where wildcard listeners preclude
                    per-address listeners on the same port (otherwise an X11 server
                    listening on port 6000 may be intercepted by rogue listeners that
                    listen on port 6000 at each of the machine's actual interface
                    addresses). So the Linux behaviour is actually sensible for a
                    change :-)

                    --
                    Viktor.
                  • Wietse Venema
                    ... I don t buy that argument. If their purpose was to address rogue listeners, then they would have compared the UIDs that create the sockets. As it is now,
                    Message 9 of 12 , Jul 6, 2013
                    • 0 Attachment
                      Viktor Dukhovni:
                      > On Sat, Jul 06, 2013 at 03:46:48PM +0200, Pol Hallen wrote:
                      >
                      > > So, what should be do? I'm confused :-/
                      > >
                      > > How clone submission service?
                      >
                      > I already answered this question, in my original follow-up to
                      > Wietse's advice, which indeed works on Solaris, and various other
                      > systems, but not on Linux where wildcard listeners preclude
                      > per-address listeners on the same port (otherwise an X11 server
                      > listening on port 6000 may be intercepted by rogue listeners that
                      > listen on port 6000 at each of the machine's actual interface
                      > addresses). So the Linux behaviour is actually sensible for a
                      > change :-)

                      I don't buy that argument. If their purpose was to address rogue
                      listeners, then they would have compared the UIDs that create the
                      sockets.

                      As it is now, no user, not even root, can override their own wildcard
                      bind with a more specific bind. And that is a bug.

                      Wietse
                    • Pol Hallen
                      ... thanks all for help! :-) I uncannily solved put may rather than encrypted Pol
                      Message 10 of 12 , Jul 7, 2013
                      • 0 Attachment
                        > As it is now, no user, not even root, can override their own wildcard
                        > bind with a more specific bind. And that is a bug.

                        thanks all for help! :-)

                        I uncannily solved put "may" rather than "encrypted"

                        Pol
                      Your message has been successfully submitted and would be delivered to recipients shortly.