Loading ...
Sorry, an error occurred while loading the content.

Re: Disabling user submission on port 25

Expand Messages
  • Jeroen Geilman
    ... This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after
    Message 1 of 13 , Aug 27, 2013
    • 0 Attachment
      On 08/27/2013 05:24 AM, John Allen wrote:
      >
      >
      > On 26/08/2013 9:00 PM, Noel Jones wrote:
      >> On 8/26/2013 7:49 PM, LuKreme wrote:
      >>> OK, now that port 587 is working, I would like to disable user
      >>> submission via port 25. Not right now, but in a bit once people have
      >>> a chance to change their settings.
      >>>
      >>> What do I do to prevent users sending via port25?
      >>>
      >>
      >>
      >> Super easy...
      >>
      >> # main.cf
      >> smtpd_sasl_auth_enable = no
      >>
      >> Your master.cf submission entry probably already includes
      >> -o smtpd_sasl_auth_enable=yes
      >>
      >> If not, go ahead and add it to submission now so things don't break
      >> unexpectedly later.
      >>
      >> This won't prevent users from sending local mail to port 25, but
      >> they won't be able to authenticate and won't be able to relay. This
      >> usually isn't considered a problem, and changing it often causes
      >> other issues.
      >>
      >>
      >> -- Noel Jones
      >>
      > I based it something that Noel Jones wrote way back in 2008.
      >
      > Create a file of the networks you wish to deny access to eg.
      > “Deny_Mynetworks_Access” the content of which will be the same
      > networks as those found in the mynetworks parameter of the main.cf
      > file for example:

      This is entirely unnecessary, since moving reject_unauth_destination in
      front of permit_mynetworks takes care of that.
      Everything after reject_unauth_destination is impervious to relay
      attempts, because it explicitly blocks all such attempts.
      Yes, relay_domains would be an exception to this - but think why domains
      are in relay_domains to begin with.

      >
      > This should deny access to the smtp port (25) from the local networks
      > while allowing access to the submission port (587).

      So what you're saying is basically "to deny access from the networks in
      mynetworks, do this complicated thing" ?

      A simpler way to do that would be to not put these networks in mynetworks.

      --
      J.
    • LuKreme
      ... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web
      Message 2 of 13 , Aug 27, 2013
      • 0 Attachment
        On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
        > A simpler way to do that would be to not put these networks in mynetworks.

        Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

        I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

        --
        Space Directive 723: Terraformers are expressly forbidden from
        recreating Swindon.
      • John Allen
        ... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction
        Message 3 of 13 , Aug 27, 2013
        • 0 Attachment
          On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
          > On 08/27/2013 05:24 AM, John Allen wrote:
          >>
          >>
          >> On 26/08/2013 9:00 PM, Noel Jones wrote:
          >>> On 8/26/2013 7:49 PM, LuKreme wrote:
          >>>> OK, now that port 587 is working, I would like to disable user
          >>>> submission via port 25. Not right now, but in a bit once people
          >>>> have a chance to change their settings.
          >>>>
          >>>> What do I do to prevent users sending via port25?
          >>>>
          >>>
          >>>
          >>> Super easy...
          >>>
          >>> # main.cf
          >>> smtpd_sasl_auth_enable = no
          >>>
          >>> Your master.cf submission entry probably already includes
          >>> -o smtpd_sasl_auth_enable=yes
          >>>
          >>> If not, go ahead and add it to submission now so things don't break
          >>> unexpectedly later.
          >>>
          >>> This won't prevent users from sending local mail to port 25, but
          >>> they won't be able to authenticate and won't be able to relay. This
          >>> usually isn't considered a problem, and changing it often causes
          >>> other issues.
          >>>
          >>>
          >>> -- Noel Jones
          >>>
          >> I based it something that Noel Jones wrote way back in 2008.
          >>
          >> Create a file of the networks you wish to deny access to eg.
          >> “Deny_Mynetworks_Access” the content of which will be the same
          >> networks as those found in the mynetworks parameter of the main.cf
          >> file for example:
          >
          > This is entirely unnecessary, since moving reject_unauth_destination
          > in front of permit_mynetworks takes care of that.
          > Everything after reject_unauth_destination is impervious to relay
          > attempts, because it explicitly blocks all such attempts.
          > Yes, relay_domains would be an exception to this - but think why
          > domains are in relay_domains to begin with.
          >
          >>
          >> This should deny access to the smtp port (25) from the local networks
          >> while allowing access to the submission port (587).
          >
          > So what you're saying is basically "to deny access from the networks
          > in mynetworks, do this complicated thing" ?
          >
          > A simpler way to do that would be to not put these networks in
          > mynetworks.
          >
          If I remember correctly the question was how do I stop local users using
          port 25, while allowing them to access port 587. I felt that the
          restriction should be applied to SMTP and not to SUBMISSION.
          I agree that my solution is not very good and I think that Stan
          Hoeppner's response is a much more elegant solution than mine.
        • Stan Hoeppner
          ... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually
          Message 4 of 13 , Aug 28, 2013
          • 0 Attachment
            On 8/27/2013 6:34 PM, John Allen wrote:
            > On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

            >> A simpler way to do that would be to not put these networks in
            >> mynetworks.
            >>
            > If I remember correctly the question was how do I stop local users using
            > port 25, while allowing them to access port 587. I felt that the
            > restriction should be applied to SMTP and not to SUBMISSION.
            > I agree that my solution is not very good and I think that Stan
            > Hoeppner's response is a much more elegant solution than mine.

            To be clear, I wasn't offering a solution to the OP's requirement, but
            simply cleaning up and optimizing your approach into something that
            would actually work.

            Jeroen offered the solution.

            --
            Stan
          Your message has been successfully submitted and would be delivered to recipients shortly.