Loading ...
Sorry, an error occurred while loading the content.
 

Re: reject_unauth_destination

Expand Messages
  • James Griffin
    ... It should always be used. At the top of smtpd_recipient_restrictions, or just after your sasl auth setting and $permit_mynetworks. It s the setting that
    Message 1 of 9 , Aug 31, 2013
      !-- On Sat 31.Aug'13 at 8:55:34 BST, LuKreme (kremels@...), wrote:

      > Is there any downside to using reject_unauth_destination? I had it commented out but I did not have a note on why it was disabled. Reading the description, it seems like it should always be turned on (or at least that it couldn't possibly hurt)?

      It should always be used. At the top of smtpd_recipient_restrictions, or
      just after your sasl auth setting and $permit_mynetworks. It's the
      setting that stops you being an open relay.

      --


      James Griffin: jmz at kontrol.kode5.net

      A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
    • Noel Jones
      ... reject_unauth_destination is what keeps you from being an open relay, and is required in either smtpd_recipient_restrictions or (postfix 2.10 and newer)
      Message 2 of 9 , Aug 31, 2013
        On 8/31/2013 2:55 AM, LuKreme wrote:
        > Is there any downside to using reject_unauth_destination? I had it commented out but I did not have a note on why it was disabled. Reading the description, it seems like it should always be turned on (or at least that it couldn't possibly hurt)?
        >
        > <http://www.postfix.org/postconf.5.html#reject_unauth_destination>

        reject_unauth_destination is what keeps you from being an open
        relay, and is required in either smtpd_recipient_restrictions or
        (postfix 2.10 and newer) smtpd_relay_restrictions.

        I expect you commented it out in smtpd_recipient_restrictions when
        you upgraded to postfix 2.10, but it's a very cheap test and there's
        no reason to remove it.

        >
        > Is it even going to trigger with Postscreen in place?

        postscreen doesn't do any destination tests, and by design cannot
        prevent relaying.

        I would recommend leaving it in smtpd_recipient_restrictions, and
        you MUST leave it in smtpd_relay_restrictions.



        >
        > (for now I've stuck warn_if_ in front of it)
        >
        > my smtpd_*_restrictions (mail_version = 2.10.0)
        >
        > smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
        >
        > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
        >
        > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, warn_if_reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, check_client_access hash:$config_directory/access, permit
        >
        > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

        the above is acceptable.

        >
        >
        > Can I just go with
        >
        > smtpd_recipient_restrictions = reject_unauth_destination,permit
        > smtpd_relay_restrictions =

        This will work -- you can even drop the "permit", which is implied
        -- but most folks find it useful to prepend permit_mynetworks even
        if mynetworks only contains localhost IPs.


        >
        > and in master.cf
        > submission inet n - n - - smtpd
        > -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
        > -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
        > -o smtpd_sasl_security_options=noanonymous

        OK.

        > -o smtpd_sasl_local_domain=$myhostname

        I don't think this parameter is used by dovecot. (unused parameters
        rarely cause problems other than operator confusion)

        > -o smtpd_client_restrictions=permit_sasl_authenticated,reject

        you'll need to override the other smtpd_*_restrictions set in main.cf.
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

        > -o syslog_name=submit-tls

        Good.


        >
        > ?
        >
        > and is client_restrictions the best choice for submission? I've see some confs have both
        >
        > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        > -o smtpd_data_restrictions=permit_sasl_authenticated,reject
        >
        > Why?
        >

        Remember, for mail to be accepted, it must pass *each* of the
        smtpd_*_restrictions sections. Also remember that every master.cf
        service inherits {built-in defaults + all main.cf settings} before
        applying any -o overrides.

        How you arrange your submission settings is up to you. I like to
        explicitly set all the smtpd_*_restrictions in submission, even if
        most of them are empty, to prevent surprises later when I change
        something in main.cf.

        I think the minimum requirements for submission can be stated as 1)
        allow all AUTH users, 2) reject everyone else. With widely used
        postfix main.cf smtpd_*_restrictions settings that prepend
        everything with "permit_mynetworks, permit_sasl_authenticated", (and
        thereby allow AUTH on port 25) it's sufficient to use "-o
        smtpd_ANYTHING_restrictions=permit_sasl_authenticated,reject" and
        still meet the minimum requirements.

        When you change your main.cf so that AUTH is not allowed on port 25,
        then additional settings are required in master.cf/submission to
        insure you don't reject AUTH users.



        -- Noel Jones
      • LuKreme
        ... Hmm. I did run several tests on the are you an open relay sites and passed them all with that commented out. I uncommented it now, but the other
        Message 3 of 9 , Aug 31, 2013
          On 31 Aug 2013, at 10:20 , Noel Jones <njones@...> wrote:

          > reject_unauth_destination is what keeps you from being an open
          > relay, and is required in either smtpd_recipient_restrictions or
          > (postfix 2.10 and newer) smtpd_relay_restrictions.

          Hmm. I did run several tests on the "are you an open relay" sites and passed them all with that commented out. I uncommented it now, but the other restrictions must have been doing a pretty good job.

          >> -o smtpd_sasl_local_domain=$myhostname
          >
          > I don't think this parameter is used by dovecot. (unused parameters
          > rarely cause problems other than operator confusion)

          Good point, I think that was left over from something else.

          >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          >
          > you'll need to override the other smtpd_*_restrictions set in main.cf.
          > -o smtpd_helo_restrictions=
          > -o smtpd_sender_restrictions=
          > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
          > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
          >
          >> -o syslog_name=submit-tls
          >
          > Good.


          I don't have smtpd_sender restrictions set (probably because way back when I went with the "put it all in smtpd_recipient_restrictions method).

          >> and is client_restrictions the best choice for submission? I've see some confs have both
          >>
          >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          >> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
          >>
          >> Why?
          >
          > Remember, for mail to be accepted, it must pass *each* of the
          > smtpd_*_restrictions sections. Also remember that every master.cf
          > service inherits {built-in defaults + all main.cf settings} before
          > applying any -o overrides.

          Right, it seems odd to have the exact same restrictions on smtpd_data and smtpd_client restrictions since if one passes, both will pass. I guess it does't hurt anything, it just looks odd to me and I was curious if there was a real reason.

          > How you arrange your submission settings is up to you. I like to
          > explicitly set all the smtpd_*_restrictions in submission, even if
          > most of them are empty, to prevent surprises later when I change
          > something in main.cf.
          >
          > I think the minimum requirements for submission can be stated as 1)
          > allow all AUTH users, 2) reject everyone else. With widely used
          > postfix main.cf smtpd_*_restrictions settings that prepend
          > everything with "permit_mynetworks, permit_sasl_authenticated", (and
          > thereby allow AUTH on port 25) it's sufficient to use "-o
          > smtpd_ANYTHING_restrictions=permit_sasl_authenticated,reject" and
          > still meet the minimum requirements.
          >
          > When you change your main.cf so that AUTH is not allowed on port 25,
          > then additional settings are required in master.cf/submission to
          > insure you don't reject AUTH users.

          Ah... um.. let me see if I have this straight then. I do not have sasl settings like smtpd_sasl_auth_enable = yes in my postconf, so sasl and auth are NOT available on port25, but I still have

          smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
          smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

          in main.conf.

          In several places in main.cf I have permit_sasl_authenticated. Should I only have that in master.cf under submission?

          --
          7-Up? What happened to Ups 1-6?
        • Noel Jones
          ... Since you don t have AUTH enabled on port 25, permit_sasl_authenticated is basically a no-op there. Postfix will check to see if the authenticated flag
          Message 4 of 9 , Sep 1 12:50 PM
            On 8/31/2013 6:40 PM, LuKreme wrote:
            >
            >>
            >> When you change your main.cf so that AUTH is not allowed on port 25,
            >> then additional settings are required in master.cf/submission to
            >> insure you don't reject AUTH users.
            >
            > Ah... um.. let me see if I have this straight then. I do not have sasl settings like smtpd_sasl_auth_enable = yes in my postconf, so sasl and auth are NOT available on port25, but I still have
            >
            > smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
            > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
            >
            > in main.conf.
            >
            > In several places in main.cf I have permit_sasl_authenticated. Should I only have that in master.cf under submission?
            >

            Since you don't have AUTH enabled on port 25,
            permit_sasl_authenticated is basically a no-op there. Postfix will
            check to see if the "authenticated" flag is set, and it will always
            be false. Other than using an insignificant amount of processing
            time, there will be no other effect. Take it out if you're sure
            you've covered in the master.cf/submission entry.

            But it really doesn't make much difference.

            -- Noel Jones
          Your message has been successfully submitted and would be delivered to recipients shortly.