Loading ...
Sorry, an error occurred while loading the content.

Re: Disabling user submission on port 25

Expand Messages
  • LuKreme
    ... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web
    Message 1 of 13 , Aug 27 3:18 PM
    • 0 Attachment
      On 27 Aug 2013, at 16:09 , Jeroen Geilman <jeroen@...> wrote:
      > A simpler way to do that would be to not put these networks in mynetworks.

      Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

      I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

      --
      Space Directive 723: Terraformers are expressly forbidden from
      recreating Swindon.
    • John Allen
      ... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction
      Message 2 of 13 , Aug 27 4:34 PM
      • 0 Attachment
        On 27/08/2013 6:09 PM, Jeroen Geilman wrote:
        > On 08/27/2013 05:24 AM, John Allen wrote:
        >>
        >>
        >> On 26/08/2013 9:00 PM, Noel Jones wrote:
        >>> On 8/26/2013 7:49 PM, LuKreme wrote:
        >>>> OK, now that port 587 is working, I would like to disable user
        >>>> submission via port 25. Not right now, but in a bit once people
        >>>> have a chance to change their settings.
        >>>>
        >>>> What do I do to prevent users sending via port25?
        >>>>
        >>>
        >>>
        >>> Super easy...
        >>>
        >>> # main.cf
        >>> smtpd_sasl_auth_enable = no
        >>>
        >>> Your master.cf submission entry probably already includes
        >>> -o smtpd_sasl_auth_enable=yes
        >>>
        >>> If not, go ahead and add it to submission now so things don't break
        >>> unexpectedly later.
        >>>
        >>> This won't prevent users from sending local mail to port 25, but
        >>> they won't be able to authenticate and won't be able to relay. This
        >>> usually isn't considered a problem, and changing it often causes
        >>> other issues.
        >>>
        >>>
        >>> -- Noel Jones
        >>>
        >> I based it something that Noel Jones wrote way back in 2008.
        >>
        >> Create a file of the networks you wish to deny access to eg.
        >> “Deny_Mynetworks_Access” the content of which will be the same
        >> networks as those found in the mynetworks parameter of the main.cf
        >> file for example:
        >
        > This is entirely unnecessary, since moving reject_unauth_destination
        > in front of permit_mynetworks takes care of that.
        > Everything after reject_unauth_destination is impervious to relay
        > attempts, because it explicitly blocks all such attempts.
        > Yes, relay_domains would be an exception to this - but think why
        > domains are in relay_domains to begin with.
        >
        >>
        >> This should deny access to the smtp port (25) from the local networks
        >> while allowing access to the submission port (587).
        >
        > So what you're saying is basically "to deny access from the networks
        > in mynetworks, do this complicated thing" ?
        >
        > A simpler way to do that would be to not put these networks in
        > mynetworks.
        >
        If I remember correctly the question was how do I stop local users using
        port 25, while allowing them to access port 587. I felt that the
        restriction should be applied to SMTP and not to SUBMISSION.
        I agree that my solution is not very good and I think that Stan
        Hoeppner's response is a much more elegant solution than mine.
      • Stan Hoeppner
        ... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually
        Message 3 of 13 , Aug 28 11:40 AM
        • 0 Attachment
          On 8/27/2013 6:34 PM, John Allen wrote:
          > On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

          >> A simpler way to do that would be to not put these networks in
          >> mynetworks.
          >>
          > If I remember correctly the question was how do I stop local users using
          > port 25, while allowing them to access port 587. I felt that the
          > restriction should be applied to SMTP and not to SUBMISSION.
          > I agree that my solution is not very good and I think that Stan
          > Hoeppner's response is a much more elegant solution than mine.

          To be clear, I wasn't offering a solution to the OP's requirement, but
          simply cleaning up and optimizing your approach into something that
          would actually work.

          Jeroen offered the solution.

          --
          Stan
        Your message has been successfully submitted and would be delivered to recipients shortly.