In message <[email protected]> Christian Kivalo writes: > > >> One minor comment: I would not even offer AUTH on port 25. > > > >I don't. I offer opportunistic TLS on port 25 for SMTPd. All mail > >submission have to be on port 587. > > You do. > > valo@uschi:~ $ telnet mail.covisp.net 25 > Trying 65.121.55.42... > Connected to mail.covisp.net. > Escape character is '^]'. > 220-mail.covisp.net ESTMP -- Please wait > 220 mail.covisp.net ESMTP Postfix 3.0.3 > ehlo test.local.host > 250-mail.covisp.net > 250-PIPELINING > 250-SIZE 26214400 > 250-ETRN > 250-STARTTLS > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > quit > 221 2.0.0 Bye > Connection closed by foreign host. > > See the two lines offering auth on port 25. You should disable auth > on port 25.
As in "smtpd_sasl_auth_enable = no". > -- > Christian Plain and login AUTH are particularly dangerous since they send passwords in the clear. See if you can find another method: http://cyrusimap.web.cmu.edu/sasl/authentication_mechanisms.html http://wiki.dovecot.org/Authentication/Mechanisms With AUTH PLAIN LOGIN and no TLS, anyone logging in over public WiFi (or non-switched ethernet, where such a thing still exists) is exposing their user ID and password to others snooping on the WiFi. That could be really bad for people who use the same password for everything (terrible practice but all too common). btw- Even with TLS, unless client certs are used anyone can connect and try brute force password guessing, which is what appears to be happenning. When presented with STARTTLS and no AUTH most attacks just go away and don't keep retrying. I suggest that if it won't break clients (if they can use TLS) use "smtpd_tls_security_level = yes" on port 587 (which implies "smtpd_tls_auth_only = yes"). Use "smtpd_sasl_auth_enable = no" on port 25 even if it means clients have to change configs. Plus set smtp_sasl_mechanism_filter to something more reasonable if it doesn't break clients to do so (and/or change mech_list in cyrus sasl conf). For example "smtpd_sasl_security_options = noanonymous, noplaintext". Client certs would be nice but a large number of client certs can be a headache to keep track of and hard to get into user's client MUAs. Filters limiting access to port 587 can then be applied a lot more strickly than filters on port 25 could be. Curtis
