On 10/18/2013 8:00 AM, francis picabia wrote:
> Hello,
>
> I'm looking at the logs for an SMTP only service where iptables
> should be stopping new connections on port 25, and I'm
> seeing connects with no sasl auth. They fail to relay, but
> I'd rather we didn't talk to them at all.
>
Why do you think they're connecting to port 25?
> In the maillog-internal log:
>
> Oct 17 11:28:18 myserver postfix-internal/smtpd[23161]: connect from
> unknown[142.177.130.133]
> Oct 17 11:28:20 myserver postfix-internal/smtpd[23161]: NOQUEUE:
> reject: RCPT from unknown[142.177.130.133]: 454 4.7.1
> <someu...@hotmail.com>: Relay access denied; from=<u...@example.com>
> to=<someu...@hotmail.com> proto=ESMTP helo=<[10.36.113.138]>
> Oct 17 11:28:20 myserver postfix-internal/smtpd[23161]: disconnect
> from unknown[142.177.130.133]
This looks as if it was caught by the smtpd_relay_restrictions
safety net. Yeah! Another open relay foiled by sane postfix defaults.
One of your access tables is permitting this connection without
authentication. Check all the rules in your access tables
(particularly the ones in smtpd_recipient_restrictions) that end
with permit or OK to see which one isn't working as you intend. You
can test tables with postmap -q "key" type:table.
Typically on an outgoing-only server you'll put restrictions that
apply to all clients (access tables and such) in smtpd_{client,
helo, sender}_restrictions, and keep smtpd_recipient_restrictions at
the minimum "permit_sasl_authenticated, permit_mynetworks, reject"
to prevent accidents like this.
Consider adding -o syslog_name entries to your submission and smtps
master.cf entries so you can tell which service a particular
connection used. Something like:
-o syslog_name=postfix-internal/submission
or
-o syslog_name=postfix-internal/smtps
as appropriate.
-- Noel Jones
>
> # grep maillog-internal /etc/rsyslog.conf
> local3.*
> -/var/log/maillog-internal
>
> That is a sanity check showing this log contains
> only entries from the dedicated SMTP service.
>
> I have iptables rules to block NEW connects on port 25, and my network
> admin assures me telnet on port 25 from the outside is unsuccessful.
> Neither of the above IPs (connect nor helo) are in my subnet.
>
> I also run SASL auth'ed ports, but the connecting IP doesn't show up with
> a line revealing sasl login.
>
> grep 142.177.130.133 /var/log/maillog-internal | grep sasl
> shows nothing (log from 17th not rotated yet).
>
> Hopefully the postconf output and snippets from my master.cf will reveal
> something stupid I've got set up.
>
> # postconf -d | grep mail_version
> mail_version = 2.10.0-20130211
>
> #postconf -c /etc/postfix-internal -n
> anvil_rate_time_unit = 60s
> anvil_status_update_time = 300s
> append_dot_mydomain = no
> biff = no
> bounce_queue_lifetime = 0
> canonical_maps =
> hash:/etc/postfix-internal/lowercase,hash:/etc/postfix-internal/genericstable
> command_directory = /usr/sbin
> config_directory = /etc/postfix-internal
> content_filter = lmtp-amavis:[127.0.0.1]:10026
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix-internal
> debug_peer_level = 2
> delay_warning_time = 2h
> disable_vrfy_command = yes
> fast_flush_domains = rigel.example.com, exchange.example.com,
> adara.example.com, navi.example.com, rm.example.com
> hash_queue_names = deferred defer bounce flush
> html_directory = no
> inet_interfaces = smtp.example.com
> invalid_hostname_reject_code = 556
> local_header_rewrite_clients = permit_inet_interfaces,
> permit_mynetworks, permit_sasl_authenticated
> local_recipient_maps =
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> masquerade_domains = !alumni.example.com $mydomain
> maximal_backoff_time = 4000s
> maximal_queue_lifetime = 2d
> message_size_limit = 20971520
> minimal_backoff_time = 1000s
> mydestination =
> mydomain = example.com
> myhostname = smtp.example.com
> mynetworks = XXX.YYY.0.0/16 127.0.0.0/8
> mynetworks_style = class
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases
> qmgr_message_active_limit = 20000
> queue_directory = /var/spool/postfix-internal
> queue_run_delay = 1000s
> readme_directory = no
> recipient_delimiter = +
> relay_domains =
> relocated_maps =
> sample_directory = no
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_bind_address = XXX.YYY.202.53
> smtp_discard_ehlo_keyword_address_maps =
> hash:/etc/postfix-internal/smtp_discard_ehlo
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_connection_count_limit = 2
> smtpd_client_connection_rate_limit = 10
> smtpd_client_event_limit_exceptions = 127.0.0.0/8, XXX.YYY.200.0/21
> XXX.YYY.2.48 XXX.YYY.2.50
> smtpd_client_message_rate_limit = 10
> smtpd_client_new_tls_session_rate_limit = 10
> smtpd_client_event_limit_exceptions = 127.0.0.0/8, XXX.YYY.200.0/21
> XXX.YYY.2.48 XXX.YYY.2.50
> smtpd_client_message_rate_limit = 10
> smtpd_client_new_tls_session_rate_limit = 10
> smtpd_client_restrictions = check_sender_access
> hash:/etc/postfix-internal/localdomain, check_client_access
> hash:/etc/postfix-internal/access
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_delay_reject = yes
> smtpd_enforce_tls = no
> smtpd_error_sleep_time = 10
> smtpd_hard_error_limit = 5
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_recipient_restrictions = reject_unlisted_recipient,
> reject_unknown_recipient_domain, check_recipient_access
> hash:/etc/postfix-internal/recipient_access,
> permit_sasl_authenticated, permit_mynetworks, reject
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unknown_sender_domain, check_sender_access
> hash:/etc/postfix-internal/localdomain, check_client_access
> hash:/etc/postfix-internal/access
> smtpd_soft_error_limit = 3
> smtpd_timeout = 60s
> smtpd_tls_CAfile = /etc/postfix-internal/tls/DigiCertCA.crt
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix-internal/tls/star_example.com.crt
> smtpd_tls_key_file = /etc/postfix-internal/tls/star_example.com.key
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> syslog_facility = local3
> syslog_name = postfix-internal
> tls_random_exchange_name = /var/lib/postfix-internal/prng_exch
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix-internal/transport,
> hash:/etc/postfix-internal/migrating
> unknown_address_reject_code = 550
> unknown_client_reject_code = 555
> unknown_hostname_reject_code = 550
> unverified_recipient_reject_code = 550
> virtual_alias_domains = $virtual_alias_maps, example.com
> virtual_alias_maps = hash:/etc/postfix-internal/class_lists,
> hash:/etc/postfix-internal/virtual
> virtual_transport = virtual
>
>
> Parts of master.cf
>
> # Secure submission server on port 587 for non-Outlook Clients
> XXX.YYY.202.53:587 inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_use_tls=yes
> -o smtpd_enforce_tls=yes
> -o smtpd_tls_wrappermode=no
> -o smtpd_client_event_limit_exceptions=XXX.YYY.0.0/21
> -o smtpd_client_connection_rate_limit=4
> -o smtpd_recipient_limit=20
> -o smtpd_client_message_rate_limit=40
> -o smtpd_reject_unlisted_sender=yes
> -o smtpd_sasl_tls_security_options=noanonymous
> -o smtpd_sasl_security_options=noanonymous
>
> # Secure submission server on port 465 for Outlook Clients
> XXX.YYY.202.53:465 inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_use_tls=yes
> -o smtpd_enforce_tls=yes
> -o smtpd_tls_wrappermode=yes
> -o smtpd_client_event_limit_exceptions=XXX.YYY.0.0/21
> -o smtpd_client_connection_rate_limit=4
> -o smtpd_recipient_limit=20
> -o smtpd_client_message_rate_limit=40
> -o smtpd_reject_unlisted_sender=yes
> -o smtpd_sasl_tls_security_options=noanonymous
> -o smtpd_sasl_security_options=noanonymous
>
