Loading ...
Sorry, an error occurred while loading the content.
 

Disabling user submission on port 25

Expand Messages
  • LuKreme
    OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their
    Message 1 of 13 , Aug 26, 2013
      OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.

      What do I do to prevent users sending via port25?

      --
      >>Trying?
      >if you quote yoda, i swear upon everything holy that i will book a flight to
      >okinawa to kick your ass.
    • Noel Jones
      ... Super easy... # main.cf smtpd_sasl_auth_enable = no Your master.cf submission entry probably already includes -o smtpd_sasl_auth_enable=yes If not, go
      Message 2 of 13 , Aug 26, 2013
        On 8/26/2013 7:49 PM, LuKreme wrote:
        > OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
        >
        > What do I do to prevent users sending via port25?
        >


        Super easy...

        # main.cf
        smtpd_sasl_auth_enable = no

        Your master.cf submission entry probably already includes
        -o smtpd_sasl_auth_enable=yes

        If not, go ahead and add it to submission now so things don't break
        unexpectedly later.

        This won't prevent users from sending local mail to port 25, but
        they won't be able to authenticate and won't be able to relay. This
        usually isn't considered a problem, and changing it often causes
        other issues.


        -- Noel Jones
      • John Allen
        ... I based it something that Noel Jones wrote way back in 2008. Create a file of the networks you wish to deny access to eg. ôDeny_Mynetworks_Accessö the
        Message 3 of 13 , Aug 26, 2013
          On 26/08/2013 9:00 PM, Noel Jones wrote:
          > On 8/26/2013 7:49 PM, LuKreme wrote:
          >> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
          >>
          >> What do I do to prevent users sending via port25?
          >>
          >
          >
          > Super easy...
          >
          > # main.cf
          > smtpd_sasl_auth_enable = no
          >
          > Your master.cf submission entry probably already includes
          > -o smtpd_sasl_auth_enable=yes
          >
          > If not, go ahead and add it to submission now so things don't break
          > unexpectedly later.
          >
          > This won't prevent users from sending local mail to port 25, but
          > they won't be able to authenticate and won't be able to relay. This
          > usually isn't considered a problem, and changing it often causes
          > other issues.
          >
          >
          > -- Noel Jones
          >
          I based it something that Noel Jones wrote way back in 2008.

          Create a file of the networks you wish to deny access to eg.
          “Deny_Mynetworks_Access” the content of which will be the same networks
          as those found in the mynetworks parameter of the main.cf file for example:

          192.168.0.0/16 REJECT local access not permitted
          n.n.n.n/28 REJECT local access not permitted
          [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted


          remove the permit_mynetworks from all the various
          smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
          adding
          -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
          to the smtp service, and add
          -o smtpd_client_restrictions=permit_mynetworks,.....
          to the submission service.

          This should deny access to the smtp port (25) from the local networks
          while allowing access to the submission port (587).
        • LuKreme
          ... Oh, right, of course. (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine). -- NOBODY
          Message 4 of 13 , Aug 26, 2013
            On 26 Aug 2013, at 19:00 , Noel Jones <njones@...> wrote:

            > # main.cf
            > smtpd_sasl_auth_enable = no

            Oh, right, of course.

            (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine).

            --
            NOBODY LIKES SUNBURN SLAPPERS Bart chalkboard Ep. 7F23
          • LuKreme
            ... That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can
            Message 5 of 13 , Aug 26, 2013
              On 26 Aug 2013, at 21:24 , John Allen <john@...> wrote:

              > remove the permit_mynetworks from all the various smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by adding
              > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
              > to the smtp service, and add
              > -o smtpd_client_restrictions=permit_mynetworks,.....
              > to the submission service.
              >
              > This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587).

              That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can see there are situations where it would be a good idea.

              --
              "If I were willing to change my morals for convenience or financial
              gain, we wouldn't be arguing, because I'd already *be* a Republican."
              -- Wil Shipley
            • Stan Hoeppner
              ... I doubt that Noel suggested anything like this. ... This unnecessary and complex and actually won t work as stated. All that is required is a one line
              Message 6 of 13 , Aug 27, 2013
                On 8/26/2013 10:24 PM, John Allen wrote:

                > I based it something that Noel Jones wrote way back in 2008.

                I doubt that Noel suggested anything like this.

                > Create a file of the networks you wish to deny access to eg.
                > “Deny_Mynetworks_Access” the content of which will be the same networks
                > as those found in the mynetworks parameter of the main.cf file for example:
                >
                > 192.168.0.0/16 REJECT local access not permitted
                > n.n.n.n/28 REJECT local access not permitted
                > [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
                >
                > remove the permit_mynetworks from all the various
                > smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
                > adding
                > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
                > to the smtp service, and add
                > -o smtpd_client_restrictions=permit_mynetworks,.....
                > to the submission service.

                This unnecessary and complex and actually won't work as stated. All
                that is required is a one line change to master.cf and a CIDR file:

                /etc/postfix/master.cf
                ...
                smtp inet n - - - 20 smtpd
                -o smtpd_client_restrictions=check_client_access,\
                cidr:/etc/postfix/deny-local.cidr

                /etc/postfix/deny-local.cidr
                192.168.0.0/16 REJECT local access not permitted


                Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
                gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
                <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
                access not permitted; from=<stan@...> to=<xxxx@...>
                proto=ESMTP helo=<[192.168.100.53]>


                --
                Stan
              • btb
                ... web mail users should perform proper smtp authentication, just like they would if they used any other client software. among numerous benefits, it allows
                Message 7 of 13 , Aug 27, 2013
                  On 2013.08.27 00.32, LuKreme wrote:

                  > That seem like a bit much. I allow the web-server (which hosts the
                  > webmail) in mynetworks, since users mailing from there are already
                  > authenticated. I can see there are situations where it would be a
                  > good idea.

                  web mail users should perform proper smtp authentication, just like they
                  would if they used any other client software. among numerous benefits,
                  it allows for easier auditing.

                  -ben
                • John Allen
                  ... Much simpler and far much more elegant.
                  Message 8 of 13 , Aug 27, 2013
                    > On 8/26/2013 10:24 PM, John Allen wrote:
                    >
                    >> I based it something that Noel Jones wrote way back in 2008.
                    > I doubt that Noel suggested anything like this.
                    >
                    >> Create a file of the networks you wish to deny access to eg.
                    >> “Deny_Mynetworks_Access” the content of which will be the same networks
                    >> as those found in the mynetworks parameter of the main.cf file for example:
                    >>
                    >> 192.168.0.0/16 REJECT local access not permitted
                    >> n.n.n.n/28 REJECT local access not permitted
                    >> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
                    >>
                    >> remove the permit_mynetworks from all the various
                    >> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
                    >> adding
                    >> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
                    >> to the smtp service, and add
                    >> -o smtpd_client_restrictions=permit_mynetworks,.....
                    >> to the submission service.
                    > This unnecessary and complex and actually won't work as stated. All
                    > that is required is a one line change to master.cf and a CIDR file:
                    >
                    > /etc/postfix/master.cf
                    > ...
                    > smtp inet n - - - 20 smtpd
                    > -o smtpd_client_restrictions=check_client_access,\
                    > cidr:/etc/postfix/deny-local.cidr
                    >
                    > /etc/postfix/deny-local.cidr
                    > 192.168.0.0/16 REJECT local access not permitted
                    >
                    >
                    > Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
                    > gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
                    > <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
                    > access not permitted; from=<stan@...> to=<xxxx@...>
                    > proto=ESMTP helo=<[192.168.100.53]>
                    >
                    Much simpler and far much more elegant.
                  • Noel Jones
                    ... 2008 was a long time ago, possibly I ve learned a thing or two since then. Regardless, I think this was in response to a very specific requirement not
                    Message 9 of 13 , Aug 27, 2013
                      On 8/27/2013 11:36 AM, John Allen wrote:
                      >> On 8/26/2013 10:24 PM, John Allen wrote:
                      >>
                      >>> I based it something that Noel Jones wrote way back in 2008.
                      >> I doubt that Noel suggested anything like this.

                      2008 was a long time ago, possibly I've learned a thing or two since
                      then. Regardless, I think this was in response to a very specific
                      requirement not particularly related to the current issue.

                      Apparently whatever I told him worked, glad to be of help.

                      -- Noel Jones
                    • Jeroen Geilman
                      ... This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after
                      Message 10 of 13 , Aug 27, 2013
                        On 08/27/2013 05:24 AM, John Allen wrote:
                        >
                        >
                        > On 26/08/2013 9:00 PM, Noel Jones wrote:
                        >> On 8/26/2013 7:49 PM, LuKreme wrote:
                        >>> OK, now that port 587 is working, I would like to disable user
                        >>> submission via port 25. Not right now, but in a bit once people have
                        >>> a chance to change their settings.
                        >>>
                        >>> What do I do to prevent users sending via port25?
                        >>>
                        >>
                        >>
                        >> Super easy...
                        >>
                        >> # main.cf
                        >> smtpd_sasl_auth_enable = no
                        >>
                        >> Your master.cf submission entry probably already includes
                        >> -o smtpd_sasl_auth_enable=yes
                        >>
                        >> If not, go ahead and add it to submission now so things don't break
                        >> unexpectedly later.
                        >>
                        >> This won't prevent users from sending local mail to port 25, but
                        >> they won't be able to authenticate and won't be able to relay. This
                        >> usually isn't considered a problem, and changing it often causes
                        >> other issues.
                        >>
                        >>
                        >> -- Noel Jones
                        >>
                        > I based it something that Noel Jones wrote way back in 2008.
                        >
                        > Create a file of the networks you wish to deny access to eg.
                        > “Deny_Mynetworks_Access” the content of which will be the same
                        > networks as those found in the mynetworks parameter of the main.cf
                        > file for example:

                        This is entirely unnecessary, since moving reject_unauth_destination in
                        front of permit_mynetworks takes care of that.
                        Everything after reject_unauth_destination is impervious to relay
                        attempts, because it explicitly blocks all such attempts.
                        Yes, relay_domains would be an exception to this - but think why domains
                        are in relay_domains to begin with.

                        >
                        > This should deny access to the smtp port (25) from the local networks
                        > while allowing access to the submission port (587).

                        So what you're saying is basically "to deny access from the networks in
                        mynetworks, do this complicated thing" ?

                        A simpler way to do that would be to not put these networks in mynetworks.

                        --
                        J.
                      • LuKreme
                        ... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web
                        Message 11 of 13 , Aug 27, 2013
                          On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
                          > A simpler way to do that would be to not put these networks in mynetworks.

                          Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

                          I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

                          --
                          Space Directive 723: Terraformers are expressly forbidden from
                          recreating Swindon.
                        • John Allen
                          ... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction
                          Message 12 of 13 , Aug 27, 2013
                            On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
                            > On 08/27/2013 05:24 AM, John Allen wrote:
                            >>
                            >>
                            >> On 26/08/2013 9:00 PM, Noel Jones wrote:
                            >>> On 8/26/2013 7:49 PM, LuKreme wrote:
                            >>>> OK, now that port 587 is working, I would like to disable user
                            >>>> submission via port 25. Not right now, but in a bit once people
                            >>>> have a chance to change their settings.
                            >>>>
                            >>>> What do I do to prevent users sending via port25?
                            >>>>
                            >>>
                            >>>
                            >>> Super easy...
                            >>>
                            >>> # main.cf
                            >>> smtpd_sasl_auth_enable = no
                            >>>
                            >>> Your master.cf submission entry probably already includes
                            >>> -o smtpd_sasl_auth_enable=yes
                            >>>
                            >>> If not, go ahead and add it to submission now so things don't break
                            >>> unexpectedly later.
                            >>>
                            >>> This won't prevent users from sending local mail to port 25, but
                            >>> they won't be able to authenticate and won't be able to relay. This
                            >>> usually isn't considered a problem, and changing it often causes
                            >>> other issues.
                            >>>
                            >>>
                            >>> -- Noel Jones
                            >>>
                            >> I based it something that Noel Jones wrote way back in 2008.
                            >>
                            >> Create a file of the networks you wish to deny access to eg.
                            >> “Deny_Mynetworks_Access” the content of which will be the same
                            >> networks as those found in the mynetworks parameter of the main.cf
                            >> file for example:
                            >
                            > This is entirely unnecessary, since moving reject_unauth_destination
                            > in front of permit_mynetworks takes care of that.
                            > Everything after reject_unauth_destination is impervious to relay
                            > attempts, because it explicitly blocks all such attempts.
                            > Yes, relay_domains would be an exception to this - but think why
                            > domains are in relay_domains to begin with.
                            >
                            >>
                            >> This should deny access to the smtp port (25) from the local networks
                            >> while allowing access to the submission port (587).
                            >
                            > So what you're saying is basically "to deny access from the networks
                            > in mynetworks, do this complicated thing" ?
                            >
                            > A simpler way to do that would be to not put these networks in
                            > mynetworks.
                            >
                            If I remember correctly the question was how do I stop local users using
                            port 25, while allowing them to access port 587. I felt that the
                            restriction should be applied to SMTP and not to SUBMISSION.
                            I agree that my solution is not very good and I think that Stan
                            Hoeppner's response is a much more elegant solution than mine.
                          • Stan Hoeppner
                            ... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually
                            Message 13 of 13 , Aug 28, 2013
                              On 8/27/2013 6:34 PM, John Allen wrote:
                              > On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

                              >> A simpler way to do that would be to not put these networks in
                              >> mynetworks.
                              >>
                              > If I remember correctly the question was how do I stop local users using
                              > port 25, while allowing them to access port 587. I felt that the
                              > restriction should be applied to SMTP and not to SUBMISSION.
                              > I agree that my solution is not very good and I think that Stan
                              > Hoeppner's response is a much more elegant solution than mine.

                              To be clear, I wasn't offering a solution to the OP's requirement, but
                              simply cleaning up and optimizing your approach into something that
                              would actually work.

                              Jeroen offered the solution.

                              --
                              Stan
                            Your message has been successfully submitted and would be delivered to recipients shortly.