On 2024-12-17 at 22:43:06 UTC-0500 (Wed, 18 Dec 2024 11:43:06 +0800)
esd via Postfix-users <eo...@qq.com>
is rumored to have said:
Eventually I will remove sasl from port 25. But since port 25 can use
sasl authentication, the reliability of the service should be ensured.
None of Postfix can use authentication if it has no SASL backend.
It is *nonsensical* to offer authentication as an optional function. On
port 25 accepting general mail from the Internet, you *cannot* require
all connections to use SASL unless you want to not get mail from anyone
that you don't have credentials for. Authentication is only for your own
users, and they should never be submitting to port 25.
Once dovecot sasl terminates unexpectedly,
Which it should not. If it does, you have a misconfigured system. In 19
years of running Postfix and Dovecot together on many systems, I've
never seen Dovecot terminate unexpectedly without a catastrophic system
failure also terminating Postfix.
it will cause a complete strike of smtpd on port 25. Any connection
will not be responded. I think the high coupling between postfix and
dovecot is not good.
That is entirely optional, and due solely to your configuration choices.
One thing you should do is to set smtpd_tls_auth_only=yes, which makes
Postfix wait until after a TLS session is established before offering
authentication and talking to Dovecot. However, that will still fail
when a client tries to establish TLS, if authentication isn't working.
I wrote a port monitoring program in python to print out the sasl
communication between postfix and dovecot. After telnet port 25,
postfix will send its version information and cpid number to dovecot.
dovecot will reply with its own version information and authentication
method, etc.; for example
Postfix: VERSION 1 0
CPID 6745
Dovecot: VERSION 1 2
MECH PLAIN plaintext
MECH LOGIN plaintext
MECH CRAM-MD5 dictionary active
SPID 1388
CUID 1
COOKIE 84f113e107157a2eb4bde0fa6870b95b
DONE
If dovecot terminates unexpectedly. Then when telnet port 25, even the
basic 220 cannot be returned. It means that the postfix service is
also stopped, although the related processes of postfix are still
running.
You need to think about what operations you want Postfix to support. If
you want to offer authentication, it only makes sense for it to be
MANDATORY, so in the event of a failed authentication backend there's
no point in allowing clients to connect to something that can't be used.
What I want to express is to enhance the robustness of postfix.
Postfix does not have any internal SASL authentication system. If you
want to use SASL authentication with Postfix, it MUST have a working
SASL backend.
For example, add a default configuration, which can be more secure. In
this way, even if dovecot fails. It still does not affect other
transactions that do not require authentication to process.
If you don't configure SASL support on port 25, your problem vanishes.
For example, receiving emails delivered by other servers, or relaying
allowed emails according to rules.
Which are the entirety of emails that should ever be accepted on port
25. Anything requiring authentication should be on port 587 or 465.
After the administrator finds that the authentication of port 25
fails, he will check the status of dovecot. During this period, no
letters will be lost or rejected altogether.
The universe of email admins over many years reached a consensus that
initial email submission and SMTP mail exchanger functions cannot be
offered on a common port without compromising security. Submission
should *always* require SASL authentication, SMTP mail exchange cannot.
Splitting the functions between port 25 (SMTP) and ports 587 & 465
(submission with STARTTLS & TLS-wrapped submission, respectively) has
been widely recognized as a best practice for 20+ years. If you choose
to do something else, you are very much alone in figuring out a way to
make it work. Most of us abandoned that model long ago and don't
consider it worth trying to revive.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
