Loading ...
Sorry, an error occurred while loading the content.

Re: Disabling user submission on port 25

Expand Messages
  • John Allen
    ... I based it something that Noel Jones wrote way back in 2008. Create a file of the networks you wish to deny access to eg. ôDeny_Mynetworks_Accessö the
    Message 1 of 13 , Aug 26, 2013
    • 0 Attachment
      On 26/08/2013 9:00 PM, Noel Jones wrote:
      > On 8/26/2013 7:49 PM, LuKreme wrote:
      >> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
      >>
      >> What do I do to prevent users sending via port25?
      >>
      >
      >
      > Super easy...
      >
      > # main.cf
      > smtpd_sasl_auth_enable = no
      >
      > Your master.cf submission entry probably already includes
      > -o smtpd_sasl_auth_enable=yes
      >
      > If not, go ahead and add it to submission now so things don't break
      > unexpectedly later.
      >
      > This won't prevent users from sending local mail to port 25, but
      > they won't be able to authenticate and won't be able to relay. This
      > usually isn't considered a problem, and changing it often causes
      > other issues.
      >
      >
      > -- Noel Jones
      >
      I based it something that Noel Jones wrote way back in 2008.

      Create a file of the networks you wish to deny access to eg.
      “Deny_Mynetworks_Access” the content of which will be the same networks
      as those found in the mynetworks parameter of the main.cf file for example:

      192.168.0.0/16 REJECT local access not permitted
      n.n.n.n/28 REJECT local access not permitted
      [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted


      remove the permit_mynetworks from all the various
      smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
      adding
      -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
      to the smtp service, and add
      -o smtpd_client_restrictions=permit_mynetworks,.....
      to the submission service.

      This should deny access to the smtp port (25) from the local networks
      while allowing access to the submission port (587).
    • LuKreme
      ... Oh, right, of course. (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine). -- NOBODY
      Message 2 of 13 , Aug 26, 2013
      • 0 Attachment
        On 26 Aug 2013, at 19:00 , Noel Jones <njones@...> wrote:

        > # main.cf
        > smtpd_sasl_auth_enable = no

        Oh, right, of course.

        (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine).

        --
        NOBODY LIKES SUNBURN SLAPPERS Bart chalkboard Ep. 7F23
      • LuKreme
        ... That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can
        Message 3 of 13 , Aug 26, 2013
        • 0 Attachment
          On 26 Aug 2013, at 21:24 , John Allen <john@...> wrote:

          > remove the permit_mynetworks from all the various smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by adding
          > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
          > to the smtp service, and add
          > -o smtpd_client_restrictions=permit_mynetworks,.....
          > to the submission service.
          >
          > This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587).

          That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can see there are situations where it would be a good idea.

          --
          "If I were willing to change my morals for convenience or financial
          gain, we wouldn't be arguing, because I'd already *be* a Republican."
          -- Wil Shipley
        • Stan Hoeppner
          ... I doubt that Noel suggested anything like this. ... This unnecessary and complex and actually won t work as stated. All that is required is a one line
          Message 4 of 13 , Aug 27, 2013
          • 0 Attachment
            On 8/26/2013 10:24 PM, John Allen wrote:

            > I based it something that Noel Jones wrote way back in 2008.

            I doubt that Noel suggested anything like this.

            > Create a file of the networks you wish to deny access to eg.
            > “Deny_Mynetworks_Access” the content of which will be the same networks
            > as those found in the mynetworks parameter of the main.cf file for example:
            >
            > 192.168.0.0/16 REJECT local access not permitted
            > n.n.n.n/28 REJECT local access not permitted
            > [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
            >
            > remove the permit_mynetworks from all the various
            > smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
            > adding
            > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
            > to the smtp service, and add
            > -o smtpd_client_restrictions=permit_mynetworks,.....
            > to the submission service.

            This unnecessary and complex and actually won't work as stated. All
            that is required is a one line change to master.cf and a CIDR file:

            /etc/postfix/master.cf
            ...
            smtp inet n - - - 20 smtpd
            -o smtpd_client_restrictions=check_client_access,\
            cidr:/etc/postfix/deny-local.cidr

            /etc/postfix/deny-local.cidr
            192.168.0.0/16 REJECT local access not permitted


            Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
            gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
            <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
            access not permitted; from=<stan@...> to=<xxxx@...>
            proto=ESMTP helo=<[192.168.100.53]>


            --
            Stan
          • btb
            ... web mail users should perform proper smtp authentication, just like they would if they used any other client software. among numerous benefits, it allows
            Message 5 of 13 , Aug 27, 2013
            • 0 Attachment
              On 2013.08.27 00.32, LuKreme wrote:

              > That seem like a bit much. I allow the web-server (which hosts the
              > webmail) in mynetworks, since users mailing from there are already
              > authenticated. I can see there are situations where it would be a
              > good idea.

              web mail users should perform proper smtp authentication, just like they
              would if they used any other client software. among numerous benefits,
              it allows for easier auditing.

              -ben
            • John Allen
              ... Much simpler and far much more elegant.
              Message 6 of 13 , Aug 27, 2013
              • 0 Attachment
                > On 8/26/2013 10:24 PM, John Allen wrote:
                >
                >> I based it something that Noel Jones wrote way back in 2008.
                > I doubt that Noel suggested anything like this.
                >
                >> Create a file of the networks you wish to deny access to eg.
                >> “Deny_Mynetworks_Access” the content of which will be the same networks
                >> as those found in the mynetworks parameter of the main.cf file for example:
                >>
                >> 192.168.0.0/16 REJECT local access not permitted
                >> n.n.n.n/28 REJECT local access not permitted
                >> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
                >>
                >> remove the permit_mynetworks from all the various
                >> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
                >> adding
                >> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
                >> to the smtp service, and add
                >> -o smtpd_client_restrictions=permit_mynetworks,.....
                >> to the submission service.
                > This unnecessary and complex and actually won't work as stated. All
                > that is required is a one line change to master.cf and a CIDR file:
                >
                > /etc/postfix/master.cf
                > ...
                > smtp inet n - - - 20 smtpd
                > -o smtpd_client_restrictions=check_client_access,\
                > cidr:/etc/postfix/deny-local.cidr
                >
                > /etc/postfix/deny-local.cidr
                > 192.168.0.0/16 REJECT local access not permitted
                >
                >
                > Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
                > gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
                > <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
                > access not permitted; from=<stan@...> to=<xxxx@...>
                > proto=ESMTP helo=<[192.168.100.53]>
                >
                Much simpler and far much more elegant.
              • Noel Jones
                ... 2008 was a long time ago, possibly I ve learned a thing or two since then. Regardless, I think this was in response to a very specific requirement not
                Message 7 of 13 , Aug 27, 2013
                • 0 Attachment
                  On 8/27/2013 11:36 AM, John Allen wrote:
                  >> On 8/26/2013 10:24 PM, John Allen wrote:
                  >>
                  >>> I based it something that Noel Jones wrote way back in 2008.
                  >> I doubt that Noel suggested anything like this.

                  2008 was a long time ago, possibly I've learned a thing or two since
                  then. Regardless, I think this was in response to a very specific
                  requirement not particularly related to the current issue.

                  Apparently whatever I told him worked, glad to be of help.

                  -- Noel Jones
                • Jeroen Geilman
                  ... This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after
                  Message 8 of 13 , Aug 27, 2013
                  • 0 Attachment
                    On 08/27/2013 05:24 AM, John Allen wrote:
                    >
                    >
                    > On 26/08/2013 9:00 PM, Noel Jones wrote:
                    >> On 8/26/2013 7:49 PM, LuKreme wrote:
                    >>> OK, now that port 587 is working, I would like to disable user
                    >>> submission via port 25. Not right now, but in a bit once people have
                    >>> a chance to change their settings.
                    >>>
                    >>> What do I do to prevent users sending via port25?
                    >>>
                    >>
                    >>
                    >> Super easy...
                    >>
                    >> # main.cf
                    >> smtpd_sasl_auth_enable = no
                    >>
                    >> Your master.cf submission entry probably already includes
                    >> -o smtpd_sasl_auth_enable=yes
                    >>
                    >> If not, go ahead and add it to submission now so things don't break
                    >> unexpectedly later.
                    >>
                    >> This won't prevent users from sending local mail to port 25, but
                    >> they won't be able to authenticate and won't be able to relay. This
                    >> usually isn't considered a problem, and changing it often causes
                    >> other issues.
                    >>
                    >>
                    >> -- Noel Jones
                    >>
                    > I based it something that Noel Jones wrote way back in 2008.
                    >
                    > Create a file of the networks you wish to deny access to eg.
                    > “Deny_Mynetworks_Access” the content of which will be the same
                    > networks as those found in the mynetworks parameter of the main.cf
                    > file for example:

                    This is entirely unnecessary, since moving reject_unauth_destination in
                    front of permit_mynetworks takes care of that.
                    Everything after reject_unauth_destination is impervious to relay
                    attempts, because it explicitly blocks all such attempts.
                    Yes, relay_domains would be an exception to this - but think why domains
                    are in relay_domains to begin with.

                    >
                    > This should deny access to the smtp port (25) from the local networks
                    > while allowing access to the submission port (587).

                    So what you're saying is basically "to deny access from the networks in
                    mynetworks, do this complicated thing" ?

                    A simpler way to do that would be to not put these networks in mynetworks.

                    --
                    J.
                  • LuKreme
                    ... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web
                    Message 9 of 13 , Aug 27, 2013
                    • 0 Attachment
                      On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
                      > A simpler way to do that would be to not put these networks in mynetworks.

                      Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

                      I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

                      --
                      Space Directive 723: Terraformers are expressly forbidden from
                      recreating Swindon.
                    • John Allen
                      ... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction
                      Message 10 of 13 , Aug 27, 2013
                      • 0 Attachment
                        On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
                        > On 08/27/2013 05:24 AM, John Allen wrote:
                        >>
                        >>
                        >> On 26/08/2013 9:00 PM, Noel Jones wrote:
                        >>> On 8/26/2013 7:49 PM, LuKreme wrote:
                        >>>> OK, now that port 587 is working, I would like to disable user
                        >>>> submission via port 25. Not right now, but in a bit once people
                        >>>> have a chance to change their settings.
                        >>>>
                        >>>> What do I do to prevent users sending via port25?
                        >>>>
                        >>>
                        >>>
                        >>> Super easy...
                        >>>
                        >>> # main.cf
                        >>> smtpd_sasl_auth_enable = no
                        >>>
                        >>> Your master.cf submission entry probably already includes
                        >>> -o smtpd_sasl_auth_enable=yes
                        >>>
                        >>> If not, go ahead and add it to submission now so things don't break
                        >>> unexpectedly later.
                        >>>
                        >>> This won't prevent users from sending local mail to port 25, but
                        >>> they won't be able to authenticate and won't be able to relay. This
                        >>> usually isn't considered a problem, and changing it often causes
                        >>> other issues.
                        >>>
                        >>>
                        >>> -- Noel Jones
                        >>>
                        >> I based it something that Noel Jones wrote way back in 2008.
                        >>
                        >> Create a file of the networks you wish to deny access to eg.
                        >> “Deny_Mynetworks_Access” the content of which will be the same
                        >> networks as those found in the mynetworks parameter of the main.cf
                        >> file for example:
                        >
                        > This is entirely unnecessary, since moving reject_unauth_destination
                        > in front of permit_mynetworks takes care of that.
                        > Everything after reject_unauth_destination is impervious to relay
                        > attempts, because it explicitly blocks all such attempts.
                        > Yes, relay_domains would be an exception to this - but think why
                        > domains are in relay_domains to begin with.
                        >
                        >>
                        >> This should deny access to the smtp port (25) from the local networks
                        >> while allowing access to the submission port (587).
                        >
                        > So what you're saying is basically "to deny access from the networks
                        > in mynetworks, do this complicated thing" ?
                        >
                        > A simpler way to do that would be to not put these networks in
                        > mynetworks.
                        >
                        If I remember correctly the question was how do I stop local users using
                        port 25, while allowing them to access port 587. I felt that the
                        restriction should be applied to SMTP and not to SUBMISSION.
                        I agree that my solution is not very good and I think that Stan
                        Hoeppner's response is a much more elegant solution than mine.
                      • Stan Hoeppner
                        ... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually
                        Message 11 of 13 , Aug 28, 2013
                        • 0 Attachment
                          On 8/27/2013 6:34 PM, John Allen wrote:
                          > On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

                          >> A simpler way to do that would be to not put these networks in
                          >> mynetworks.
                          >>
                          > If I remember correctly the question was how do I stop local users using
                          > port 25, while allowing them to access port 587. I felt that the
                          > restriction should be applied to SMTP and not to SUBMISSION.
                          > I agree that my solution is not very good and I think that Stan
                          > Hoeppner's response is a much more elegant solution than mine.

                          To be clear, I wasn't offering a solution to the OP's requirement, but
                          simply cleaning up and optimizing your approach into something that
                          would actually work.

                          Jeroen offered the solution.

                          --
                          Stan
                        Your message has been successfully submitted and would be delivered to recipients shortly.