Loading ...
Sorry, an error occurred while loading the content.

Re: Disabling user submission on port 25

Expand Messages
  • Noel Jones
    ... Super easy... # main.cf smtpd_sasl_auth_enable = no Your master.cf submission entry probably already includes -o smtpd_sasl_auth_enable=yes If not, go
    Message 1 of 13 , Aug 26, 2013
    • 0 Attachment
      On 8/26/2013 7:49 PM, LuKreme wrote:
      > OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
      >
      > What do I do to prevent users sending via port25?
      >


      Super easy...

      # main.cf
      smtpd_sasl_auth_enable = no

      Your master.cf submission entry probably already includes
      -o smtpd_sasl_auth_enable=yes

      If not, go ahead and add it to submission now so things don't break
      unexpectedly later.

      This won't prevent users from sending local mail to port 25, but
      they won't be able to authenticate and won't be able to relay. This
      usually isn't considered a problem, and changing it often causes
      other issues.


      -- Noel Jones
    • John Allen
      ... I based it something that Noel Jones wrote way back in 2008. Create a file of the networks you wish to deny access to eg. ôDeny_Mynetworks_Accessö the
      Message 2 of 13 , Aug 26, 2013
      • 0 Attachment
        On 26/08/2013 9:00 PM, Noel Jones wrote:
        > On 8/26/2013 7:49 PM, LuKreme wrote:
        >> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
        >>
        >> What do I do to prevent users sending via port25?
        >>
        >
        >
        > Super easy...
        >
        > # main.cf
        > smtpd_sasl_auth_enable = no
        >
        > Your master.cf submission entry probably already includes
        > -o smtpd_sasl_auth_enable=yes
        >
        > If not, go ahead and add it to submission now so things don't break
        > unexpectedly later.
        >
        > This won't prevent users from sending local mail to port 25, but
        > they won't be able to authenticate and won't be able to relay. This
        > usually isn't considered a problem, and changing it often causes
        > other issues.
        >
        >
        > -- Noel Jones
        >
        I based it something that Noel Jones wrote way back in 2008.

        Create a file of the networks you wish to deny access to eg.
        “Deny_Mynetworks_Access” the content of which will be the same networks
        as those found in the mynetworks parameter of the main.cf file for example:

        192.168.0.0/16 REJECT local access not permitted
        n.n.n.n/28 REJECT local access not permitted
        [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted


        remove the permit_mynetworks from all the various
        smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
        adding
        -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
        to the smtp service, and add
        -o smtpd_client_restrictions=permit_mynetworks,.....
        to the submission service.

        This should deny access to the smtp port (25) from the local networks
        while allowing access to the submission port (587).
      • LuKreme
        ... Oh, right, of course. (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine). -- NOBODY
        Message 3 of 13 , Aug 26, 2013
        • 0 Attachment
          On 26 Aug 2013, at 19:00 , Noel Jones <njones@...> wrote:

          > # main.cf
          > smtpd_sasl_auth_enable = no

          Oh, right, of course.

          (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine).

          --
          NOBODY LIKES SUNBURN SLAPPERS Bart chalkboard Ep. 7F23
        • LuKreme
          ... That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can
          Message 4 of 13 , Aug 26, 2013
          • 0 Attachment
            On 26 Aug 2013, at 21:24 , John Allen <john@...> wrote:

            > remove the permit_mynetworks from all the various smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by adding
            > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
            > to the smtp service, and add
            > -o smtpd_client_restrictions=permit_mynetworks,.....
            > to the submission service.
            >
            > This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587).

            That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can see there are situations where it would be a good idea.

            --
            "If I were willing to change my morals for convenience or financial
            gain, we wouldn't be arguing, because I'd already *be* a Republican."
            -- Wil Shipley
          • Stan Hoeppner
            ... I doubt that Noel suggested anything like this. ... This unnecessary and complex and actually won t work as stated. All that is required is a one line
            Message 5 of 13 , Aug 27, 2013
            • 0 Attachment
              On 8/26/2013 10:24 PM, John Allen wrote:

              > I based it something that Noel Jones wrote way back in 2008.

              I doubt that Noel suggested anything like this.

              > Create a file of the networks you wish to deny access to eg.
              > “Deny_Mynetworks_Access” the content of which will be the same networks
              > as those found in the mynetworks parameter of the main.cf file for example:
              >
              > 192.168.0.0/16 REJECT local access not permitted
              > n.n.n.n/28 REJECT local access not permitted
              > [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
              >
              > remove the permit_mynetworks from all the various
              > smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
              > adding
              > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
              > to the smtp service, and add
              > -o smtpd_client_restrictions=permit_mynetworks,.....
              > to the submission service.

              This unnecessary and complex and actually won't work as stated. All
              that is required is a one line change to master.cf and a CIDR file:

              /etc/postfix/master.cf
              ...
              smtp inet n - - - 20 smtpd
              -o smtpd_client_restrictions=check_client_access,\
              cidr:/etc/postfix/deny-local.cidr

              /etc/postfix/deny-local.cidr
              192.168.0.0/16 REJECT local access not permitted


              Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
              gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
              <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
              access not permitted; from=<stan@...> to=<xxxx@...>
              proto=ESMTP helo=<[192.168.100.53]>


              --
              Stan
            • btb
              ... web mail users should perform proper smtp authentication, just like they would if they used any other client software. among numerous benefits, it allows
              Message 6 of 13 , Aug 27, 2013
              • 0 Attachment
                On 2013.08.27 00.32, LuKreme wrote:

                > That seem like a bit much. I allow the web-server (which hosts the
                > webmail) in mynetworks, since users mailing from there are already
                > authenticated. I can see there are situations where it would be a
                > good idea.

                web mail users should perform proper smtp authentication, just like they
                would if they used any other client software. among numerous benefits,
                it allows for easier auditing.

                -ben
              • John Allen
                ... Much simpler and far much more elegant.
                Message 7 of 13 , Aug 27, 2013
                • 0 Attachment
                  > On 8/26/2013 10:24 PM, John Allen wrote:
                  >
                  >> I based it something that Noel Jones wrote way back in 2008.
                  > I doubt that Noel suggested anything like this.
                  >
                  >> Create a file of the networks you wish to deny access to eg.
                  >> “Deny_Mynetworks_Access” the content of which will be the same networks
                  >> as those found in the mynetworks parameter of the main.cf file for example:
                  >>
                  >> 192.168.0.0/16 REJECT local access not permitted
                  >> n.n.n.n/28 REJECT local access not permitted
                  >> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
                  >>
                  >> remove the permit_mynetworks from all the various
                  >> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
                  >> adding
                  >> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
                  >> to the smtp service, and add
                  >> -o smtpd_client_restrictions=permit_mynetworks,.....
                  >> to the submission service.
                  > This unnecessary and complex and actually won't work as stated. All
                  > that is required is a one line change to master.cf and a CIDR file:
                  >
                  > /etc/postfix/master.cf
                  > ...
                  > smtp inet n - - - 20 smtpd
                  > -o smtpd_client_restrictions=check_client_access,\
                  > cidr:/etc/postfix/deny-local.cidr
                  >
                  > /etc/postfix/deny-local.cidr
                  > 192.168.0.0/16 REJECT local access not permitted
                  >
                  >
                  > Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
                  > gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
                  > <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
                  > access not permitted; from=<stan@...> to=<xxxx@...>
                  > proto=ESMTP helo=<[192.168.100.53]>
                  >
                  Much simpler and far much more elegant.
                • Noel Jones
                  ... 2008 was a long time ago, possibly I ve learned a thing or two since then. Regardless, I think this was in response to a very specific requirement not
                  Message 8 of 13 , Aug 27, 2013
                  • 0 Attachment
                    On 8/27/2013 11:36 AM, John Allen wrote:
                    >> On 8/26/2013 10:24 PM, John Allen wrote:
                    >>
                    >>> I based it something that Noel Jones wrote way back in 2008.
                    >> I doubt that Noel suggested anything like this.

                    2008 was a long time ago, possibly I've learned a thing or two since
                    then. Regardless, I think this was in response to a very specific
                    requirement not particularly related to the current issue.

                    Apparently whatever I told him worked, glad to be of help.

                    -- Noel Jones
                  • Jeroen Geilman
                    ... This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after
                    Message 9 of 13 , Aug 27, 2013
                    • 0 Attachment
                      On 08/27/2013 05:24 AM, John Allen wrote:
                      >
                      >
                      > On 26/08/2013 9:00 PM, Noel Jones wrote:
                      >> On 8/26/2013 7:49 PM, LuKreme wrote:
                      >>> OK, now that port 587 is working, I would like to disable user
                      >>> submission via port 25. Not right now, but in a bit once people have
                      >>> a chance to change their settings.
                      >>>
                      >>> What do I do to prevent users sending via port25?
                      >>>
                      >>
                      >>
                      >> Super easy...
                      >>
                      >> # main.cf
                      >> smtpd_sasl_auth_enable = no
                      >>
                      >> Your master.cf submission entry probably already includes
                      >> -o smtpd_sasl_auth_enable=yes
                      >>
                      >> If not, go ahead and add it to submission now so things don't break
                      >> unexpectedly later.
                      >>
                      >> This won't prevent users from sending local mail to port 25, but
                      >> they won't be able to authenticate and won't be able to relay. This
                      >> usually isn't considered a problem, and changing it often causes
                      >> other issues.
                      >>
                      >>
                      >> -- Noel Jones
                      >>
                      > I based it something that Noel Jones wrote way back in 2008.
                      >
                      > Create a file of the networks you wish to deny access to eg.
                      > “Deny_Mynetworks_Access” the content of which will be the same
                      > networks as those found in the mynetworks parameter of the main.cf
                      > file for example:

                      This is entirely unnecessary, since moving reject_unauth_destination in
                      front of permit_mynetworks takes care of that.
                      Everything after reject_unauth_destination is impervious to relay
                      attempts, because it explicitly blocks all such attempts.
                      Yes, relay_domains would be an exception to this - but think why domains
                      are in relay_domains to begin with.

                      >
                      > This should deny access to the smtp port (25) from the local networks
                      > while allowing access to the submission port (587).

                      So what you're saying is basically "to deny access from the networks in
                      mynetworks, do this complicated thing" ?

                      A simpler way to do that would be to not put these networks in mynetworks.

                      --
                      J.
                    • LuKreme
                      ... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web
                      Message 10 of 13 , Aug 27, 2013
                      • 0 Attachment
                        On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
                        > A simpler way to do that would be to not put these networks in mynetworks.

                        Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

                        I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

                        --
                        Space Directive 723: Terraformers are expressly forbidden from
                        recreating Swindon.
                      • John Allen
                        ... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction
                        Message 11 of 13 , Aug 27, 2013
                        • 0 Attachment
                          On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
                          > On 08/27/2013 05:24 AM, John Allen wrote:
                          >>
                          >>
                          >> On 26/08/2013 9:00 PM, Noel Jones wrote:
                          >>> On 8/26/2013 7:49 PM, LuKreme wrote:
                          >>>> OK, now that port 587 is working, I would like to disable user
                          >>>> submission via port 25. Not right now, but in a bit once people
                          >>>> have a chance to change their settings.
                          >>>>
                          >>>> What do I do to prevent users sending via port25?
                          >>>>
                          >>>
                          >>>
                          >>> Super easy...
                          >>>
                          >>> # main.cf
                          >>> smtpd_sasl_auth_enable = no
                          >>>
                          >>> Your master.cf submission entry probably already includes
                          >>> -o smtpd_sasl_auth_enable=yes
                          >>>
                          >>> If not, go ahead and add it to submission now so things don't break
                          >>> unexpectedly later.
                          >>>
                          >>> This won't prevent users from sending local mail to port 25, but
                          >>> they won't be able to authenticate and won't be able to relay. This
                          >>> usually isn't considered a problem, and changing it often causes
                          >>> other issues.
                          >>>
                          >>>
                          >>> -- Noel Jones
                          >>>
                          >> I based it something that Noel Jones wrote way back in 2008.
                          >>
                          >> Create a file of the networks you wish to deny access to eg.
                          >> “Deny_Mynetworks_Access” the content of which will be the same
                          >> networks as those found in the mynetworks parameter of the main.cf
                          >> file for example:
                          >
                          > This is entirely unnecessary, since moving reject_unauth_destination
                          > in front of permit_mynetworks takes care of that.
                          > Everything after reject_unauth_destination is impervious to relay
                          > attempts, because it explicitly blocks all such attempts.
                          > Yes, relay_domains would be an exception to this - but think why
                          > domains are in relay_domains to begin with.
                          >
                          >>
                          >> This should deny access to the smtp port (25) from the local networks
                          >> while allowing access to the submission port (587).
                          >
                          > So what you're saying is basically "to deny access from the networks
                          > in mynetworks, do this complicated thing" ?
                          >
                          > A simpler way to do that would be to not put these networks in
                          > mynetworks.
                          >
                          If I remember correctly the question was how do I stop local users using
                          port 25, while allowing them to access port 587. I felt that the
                          restriction should be applied to SMTP and not to SUBMISSION.
                          I agree that my solution is not very good and I think that Stan
                          Hoeppner's response is a much more elegant solution than mine.
                        • Stan Hoeppner
                          ... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually
                          Message 12 of 13 , Aug 28, 2013
                          • 0 Attachment
                            On 8/27/2013 6:34 PM, John Allen wrote:
                            > On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

                            >> A simpler way to do that would be to not put these networks in
                            >> mynetworks.
                            >>
                            > If I remember correctly the question was how do I stop local users using
                            > port 25, while allowing them to access port 587. I felt that the
                            > restriction should be applied to SMTP and not to SUBMISSION.
                            > I agree that my solution is not very good and I think that Stan
                            > Hoeppner's response is a much more elegant solution than mine.

                            To be clear, I wasn't offering a solution to the OP's requirement, but
                            simply cleaning up and optimizing your approach into something that
                            would actually work.

                            Jeroen offered the solution.

                            --
                            Stan
                          Your message has been successfully submitted and would be delivered to recipients shortly.