Loading ...
Sorry, an error occurred while loading the content.
 

Re: Disabling user submission on port 25

Expand Messages
  • LuKreme
    ... That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can
    Message 1 of 13 , Aug 26, 2013
      On 26 Aug 2013, at 21:24 , John Allen <john@...> wrote:

      > remove the permit_mynetworks from all the various smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by adding
      > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
      > to the smtp service, and add
      > -o smtpd_client_restrictions=permit_mynetworks,.....
      > to the submission service.
      >
      > This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587).

      That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can see there are situations where it would be a good idea.

      --
      "If I were willing to change my morals for convenience or financial
      gain, we wouldn't be arguing, because I'd already *be* a Republican."
      -- Wil Shipley
    • Stan Hoeppner
      ... I doubt that Noel suggested anything like this. ... This unnecessary and complex and actually won t work as stated. All that is required is a one line
      Message 2 of 13 , Aug 27, 2013
        On 8/26/2013 10:24 PM, John Allen wrote:

        > I based it something that Noel Jones wrote way back in 2008.

        I doubt that Noel suggested anything like this.

        > Create a file of the networks you wish to deny access to eg.
        > “Deny_Mynetworks_Access” the content of which will be the same networks
        > as those found in the mynetworks parameter of the main.cf file for example:
        >
        > 192.168.0.0/16 REJECT local access not permitted
        > n.n.n.n/28 REJECT local access not permitted
        > [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
        >
        > remove the permit_mynetworks from all the various
        > smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
        > adding
        > -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
        > to the smtp service, and add
        > -o smtpd_client_restrictions=permit_mynetworks,.....
        > to the submission service.

        This unnecessary and complex and actually won't work as stated. All
        that is required is a one line change to master.cf and a CIDR file:

        /etc/postfix/master.cf
        ...
        smtp inet n - - - 20 smtpd
        -o smtpd_client_restrictions=check_client_access,\
        cidr:/etc/postfix/deny-local.cidr

        /etc/postfix/deny-local.cidr
        192.168.0.0/16 REJECT local access not permitted


        Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
        gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
        <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
        access not permitted; from=<stan@...> to=<xxxx@...>
        proto=ESMTP helo=<[192.168.100.53]>


        --
        Stan
      • btb
        ... web mail users should perform proper smtp authentication, just like they would if they used any other client software. among numerous benefits, it allows
        Message 3 of 13 , Aug 27, 2013
          On 2013.08.27 00.32, LuKreme wrote:

          > That seem like a bit much. I allow the web-server (which hosts the
          > webmail) in mynetworks, since users mailing from there are already
          > authenticated. I can see there are situations where it would be a
          > good idea.

          web mail users should perform proper smtp authentication, just like they
          would if they used any other client software. among numerous benefits,
          it allows for easier auditing.

          -ben
        • John Allen
          ... Much simpler and far much more elegant.
          Message 4 of 13 , Aug 27, 2013
            > On 8/26/2013 10:24 PM, John Allen wrote:
            >
            >> I based it something that Noel Jones wrote way back in 2008.
            > I doubt that Noel suggested anything like this.
            >
            >> Create a file of the networks you wish to deny access to eg.
            >> “Deny_Mynetworks_Access” the content of which will be the same networks
            >> as those found in the mynetworks parameter of the main.cf file for example:
            >>
            >> 192.168.0.0/16 REJECT local access not permitted
            >> n.n.n.n/28 REJECT local access not permitted
            >> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
            >>
            >> remove the permit_mynetworks from all the various
            >> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
            >> adding
            >> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
            >> to the smtp service, and add
            >> -o smtpd_client_restrictions=permit_mynetworks,.....
            >> to the submission service.
            > This unnecessary and complex and actually won't work as stated. All
            > that is required is a one line change to master.cf and a CIDR file:
            >
            > /etc/postfix/master.cf
            > ...
            > smtp inet n - - - 20 smtpd
            > -o smtpd_client_restrictions=check_client_access,\
            > cidr:/etc/postfix/deny-local.cidr
            >
            > /etc/postfix/deny-local.cidr
            > 192.168.0.0/16 REJECT local access not permitted
            >
            >
            > Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
            > gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
            > <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
            > access not permitted; from=<stan@...> to=<xxxx@...>
            > proto=ESMTP helo=<[192.168.100.53]>
            >
            Much simpler and far much more elegant.
          • Noel Jones
            ... 2008 was a long time ago, possibly I ve learned a thing or two since then. Regardless, I think this was in response to a very specific requirement not
            Message 5 of 13 , Aug 27, 2013
              On 8/27/2013 11:36 AM, John Allen wrote:
              >> On 8/26/2013 10:24 PM, John Allen wrote:
              >>
              >>> I based it something that Noel Jones wrote way back in 2008.
              >> I doubt that Noel suggested anything like this.

              2008 was a long time ago, possibly I've learned a thing or two since
              then. Regardless, I think this was in response to a very specific
              requirement not particularly related to the current issue.

              Apparently whatever I told him worked, glad to be of help.

              -- Noel Jones
            • Jeroen Geilman
              ... This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after
              Message 6 of 13 , Aug 27, 2013
                On 08/27/2013 05:24 AM, John Allen wrote:
                >
                >
                > On 26/08/2013 9:00 PM, Noel Jones wrote:
                >> On 8/26/2013 7:49 PM, LuKreme wrote:
                >>> OK, now that port 587 is working, I would like to disable user
                >>> submission via port 25. Not right now, but in a bit once people have
                >>> a chance to change their settings.
                >>>
                >>> What do I do to prevent users sending via port25?
                >>>
                >>
                >>
                >> Super easy...
                >>
                >> # main.cf
                >> smtpd_sasl_auth_enable = no
                >>
                >> Your master.cf submission entry probably already includes
                >> -o smtpd_sasl_auth_enable=yes
                >>
                >> If not, go ahead and add it to submission now so things don't break
                >> unexpectedly later.
                >>
                >> This won't prevent users from sending local mail to port 25, but
                >> they won't be able to authenticate and won't be able to relay. This
                >> usually isn't considered a problem, and changing it often causes
                >> other issues.
                >>
                >>
                >> -- Noel Jones
                >>
                > I based it something that Noel Jones wrote way back in 2008.
                >
                > Create a file of the networks you wish to deny access to eg.
                > “Deny_Mynetworks_Access” the content of which will be the same
                > networks as those found in the mynetworks parameter of the main.cf
                > file for example:

                This is entirely unnecessary, since moving reject_unauth_destination in
                front of permit_mynetworks takes care of that.
                Everything after reject_unauth_destination is impervious to relay
                attempts, because it explicitly blocks all such attempts.
                Yes, relay_domains would be an exception to this - but think why domains
                are in relay_domains to begin with.

                >
                > This should deny access to the smtp port (25) from the local networks
                > while allowing access to the submission port (587).

                So what you're saying is basically "to deny access from the networks in
                mynetworks, do this complicated thing" ?

                A simpler way to do that would be to not put these networks in mynetworks.

                --
                J.
              • LuKreme
                ... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web
                Message 7 of 13 , Aug 27, 2013
                  On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
                  > A simpler way to do that would be to not put these networks in mynetworks.

                  Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

                  I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

                  --
                  Space Directive 723: Terraformers are expressly forbidden from
                  recreating Swindon.
                • John Allen
                  ... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction
                  Message 8 of 13 , Aug 27, 2013
                    On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
                    > On 08/27/2013 05:24 AM, John Allen wrote:
                    >>
                    >>
                    >> On 26/08/2013 9:00 PM, Noel Jones wrote:
                    >>> On 8/26/2013 7:49 PM, LuKreme wrote:
                    >>>> OK, now that port 587 is working, I would like to disable user
                    >>>> submission via port 25. Not right now, but in a bit once people
                    >>>> have a chance to change their settings.
                    >>>>
                    >>>> What do I do to prevent users sending via port25?
                    >>>>
                    >>>
                    >>>
                    >>> Super easy...
                    >>>
                    >>> # main.cf
                    >>> smtpd_sasl_auth_enable = no
                    >>>
                    >>> Your master.cf submission entry probably already includes
                    >>> -o smtpd_sasl_auth_enable=yes
                    >>>
                    >>> If not, go ahead and add it to submission now so things don't break
                    >>> unexpectedly later.
                    >>>
                    >>> This won't prevent users from sending local mail to port 25, but
                    >>> they won't be able to authenticate and won't be able to relay. This
                    >>> usually isn't considered a problem, and changing it often causes
                    >>> other issues.
                    >>>
                    >>>
                    >>> -- Noel Jones
                    >>>
                    >> I based it something that Noel Jones wrote way back in 2008.
                    >>
                    >> Create a file of the networks you wish to deny access to eg.
                    >> “Deny_Mynetworks_Access” the content of which will be the same
                    >> networks as those found in the mynetworks parameter of the main.cf
                    >> file for example:
                    >
                    > This is entirely unnecessary, since moving reject_unauth_destination
                    > in front of permit_mynetworks takes care of that.
                    > Everything after reject_unauth_destination is impervious to relay
                    > attempts, because it explicitly blocks all such attempts.
                    > Yes, relay_domains would be an exception to this - but think why
                    > domains are in relay_domains to begin with.
                    >
                    >>
                    >> This should deny access to the smtp port (25) from the local networks
                    >> while allowing access to the submission port (587).
                    >
                    > So what you're saying is basically "to deny access from the networks
                    > in mynetworks, do this complicated thing" ?
                    >
                    > A simpler way to do that would be to not put these networks in
                    > mynetworks.
                    >
                    If I remember correctly the question was how do I stop local users using
                    port 25, while allowing them to access port 587. I felt that the
                    restriction should be applied to SMTP and not to SUBMISSION.
                    I agree that my solution is not very good and I think that Stan
                    Hoeppner's response is a much more elegant solution than mine.
                  • Stan Hoeppner
                    ... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually
                    Message 9 of 13 , Aug 28, 2013
                      On 8/27/2013 6:34 PM, John Allen wrote:
                      > On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

                      >> A simpler way to do that would be to not put these networks in
                      >> mynetworks.
                      >>
                      > If I remember correctly the question was how do I stop local users using
                      > port 25, while allowing them to access port 587. I felt that the
                      > restriction should be applied to SMTP and not to SUBMISSION.
                      > I agree that my solution is not very good and I think that Stan
                      > Hoeppner's response is a much more elegant solution than mine.

                      To be clear, I wasn't offering a solution to the OP's requirement, but
                      simply cleaning up and optimizing your approach into something that
                      would actually work.

                      Jeroen offered the solution.

                      --
                      Stan
                    Your message has been successfully submitted and would be delivered to recipients shortly.