Re: forcing SMTP authentication
> That last rule is essentially "accept from any for (pretty much) any" so > you have created an open relay. > > Replace the "from any" with "from local" so the rule reads as: > >accept from local for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth > > This should be much better. Thanks, this did the trick! :) I thought when it comes to relaying, "auth-optional" ensures that authentication is already done and the relaying rule is processed according to this. Regards,
Re: forcing SMTP authentication
On Wed, 21 Aug 2019 06:50:05 + Lévai, Dániel wrote: > No it doesn't, that's the whole point... Very strange. Currently I'm in the office, the mail server is at home. I tried with two mail clients (sylpheed, Evolution) with a fake account to use the mail server without authentication to send email to my gmail address - at it worked all the time. Maybe something went wrong during ./configure? The /var/log/messages logs are attached in a file. Regards, -- Selmeci Tamás Aug 21 09:11:37 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=connected address=217.150.134.30 host=217.150.134.30 Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=starttls address=217.150.134.30 host=217.150.134.30 ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=message address=217.150.134.30 host=217.150.134.30 msgid=4ece59a6 from= to= size=502 ndest=1 proto=ESMTP Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=connecting address=tls://84.2.46.3:25 host=mail.t-online.hu Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=closed address=217.150.134.30 host=217.150.134.30 reason=quit Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=connected Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Aug 21 09:11:38 486 mail.err smtpd[13131]: warn: unable to load CA file /etc/ssl/cert.pem: No such file or directory Aug 21 09:11:38 486 mail.info smtpd[13132]: smtp-out: Server certificate verification failed on session 242a4742bfc88a7f Aug 21 09:11:39 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=delivery evpid=4ece59a66756afe7 from= to= rcpt=<-> source="192.168.1.153" relay="84.2.46.3 (mail.t-online.hu)" delay=1s result="Ok" stat="250 2.0.0 Ok: queued as Aug 21 09:11:42 486 mail.info smtpd[13132]: 242a474391a6416d smtp event=connected address=209.85.210.43 host=mail-ot1-f43.google.com Aug 21 09:11:43 486 mail.info smtpd[13132]: 242a474391a6416d smtp event=starttls address=209.85.210.43 host=mail-ot1-f43.google.com ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
Re: forcing SMTP authentication
On 8/21/19 8:47 AM, Selmeci Tamás wrote: > On Wed, 21 Aug 2019 08:19:24 +0200 Martijn van Duren > wrote: > >> From smtpd.conf(5): >> >> auth-optional [] >> Support SMTPAUTH optionally: clients need not >> authenticate, but may do so. This allows a listen on >> directive to both accept incoming mail from untrusted >> senders and permit outgoing mail from authenticated >> users >> (using match auth). It can be used in situations where >> it is not possible to listen on a separate port (usually >> the submission port, 587) for users to authenticate. > > Sounds good, but unauthenticated relaying still works with this... > auth-optional [] ...snip... (using match auth) ...snip... match options action name If at least one mail envelope matches the options of one match action directive, receive the incoming message, put a copy into each matching envelope, and atomically save the envelopes to the mail spool for later processing by the respective dispatcher name. ...snip... [!] auth Matches transactions which have been authenticated.
Re: forcing SMTP authentication
No it doesn't, that's the whole point... Eredeti üzenet Be 2019. aug. 21. 8:47, Selmeci Tamás írta: > On Wed, 21 Aug [2019 08](tel:201908):19:24 +0200 Martijn van Duren > wrote: > >> From smtpd.conf(5): >> >> auth-optional [] >> Support SMTPAUTH optionally: clients need not >> authenticate, but may do so. This allows a listen on >> directive to both accept incoming mail from untrusted >> senders and permit outgoing mail from authenticated users >> (using match auth). It can be used in situations where >> it is not possible to listen on a separate port (usually >> the submission port, 587) for users to authenticate. > > Sounds good, but unauthenticated relaying still works with this... > -- > Selmeci Tamás > http://www.486.hu/
Re: forcing SMTP authentication
On Wed, 21 Aug 2019 08:19:24 +0200 Martijn van Duren wrote: > From smtpd.conf(5): > > auth-optional [] > Support SMTPAUTH optionally: clients need not > authenticate, but may do so. This allows a listen on > directive to both accept incoming mail from untrusted > senders and permit outgoing mail from authenticated users > (using match auth). It can be used in situations where > it is not possible to listen on a separate port (usually > the submission port, 587) for users to authenticate. Sounds good, but unauthenticated relaying still works with this... -- Selmeci Tamás http://www.486.hu/
Re: forcing SMTP authentication
Hello Selmeci, you are operating an open mail relay at the moment. stop it, now! it won't take long until "they" discover and abuse it and this will ruin the reputation of your IP address for quite some time. (look in you logs for messages from/to "max@"!) handle transfer of mails between servers on port 25, without authentication (and with optional tls?). use port 587 for message submission by users after authentication. do NOT relay anything but submissions via port 587. Marcus tselm...@gmail.com (Selmeci Tamás), 2019.08.21 (Wed) 07:39 (CEST): > Hello! > > In brief: STARTTLS is enabled, there is a self-signed certificate for > encryption (better than nothing), smarthost is used to send mails from > my domain. My problem is that it still accepts SMTP connections (over > TLS) without authentication. What I want: > - anybody can send email to my email address in my domain (now it's > working); > - relaying through my SMTP server is allowed only after successful > authentication (now anybody can relay through my server without > authentication, e.g. to send spams). Authentication should be based on > regular /etc/passwd file (local users of the computer). In order to > hide the passwords, STARTTLS should be used; > > It's a rather simple configuration, but I wasn't able to set it up. If > I put 'auth' into the 'listen on' line, it needs authentication to any > access of the SMTP server, so other machines (e.g. from google.com) > can't send me mails. Using 'authenticated' in 'accept from' directives > also didn't do the trick appropriately (it wasn't able to receive any > mails at all). > > Could you please help me out with this? > > Thanks, regards, > --- > --- > pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt" > pki mail.486.hu key "/etc/smtpd/mail.486.hu.key" > > table cred file:/etc/smtpd/cred > > listen on eth0 port 25 hostname mail.486.hu tls-require > listen on localhost port 25 hostname mail.486.hu tls-require > > # Storing mails arriving at the domain '486.hu'. > accept from any for domain 486.hu deliver to mbox > > # If the recipient is out of domain '486.hu', the mail is relayed through the > # smarthost using TLS and authentication, see 'cred' file. > accept from any for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth >
Re: forcing SMTP authentication
>From smtpd.conf(5): auth-optional [] Support SMTPAUTH optionally: clients need not authenticate, but may do so. This allows a listen on directive to both accept incoming mail from untrusted senders and permit outgoing mail from authenticated users (using match auth). It can be used in situations where it is not possible to listen on a separate port (usually the submission port, 587) for users to authenticate. On 8/21/19 7:39 AM, Selmeci Tamás wrote: > Hello! > > In brief: STARTTLS is enabled, there is a self-signed certificate for > encryption (better than nothing), smarthost is used to send mails from > my domain. My problem is that it still accepts SMTP connections (over > TLS) without authentication. What I want: > - anybody can send email to my email address in my domain (now it's > working); > - relaying through my SMTP server is allowed only after successful > authentication (now anybody can relay through my server without > authentication, e.g. to send spams). Authentication should be based on > regular /etc/passwd file (local users of the computer). In order to > hide the passwords, STARTTLS should be used; > > It's a rather simple configuration, but I wasn't able to set it up. If > I put 'auth' into the 'listen on' line, it needs authentication to any > access of the SMTP server, so other machines (e.g. from google.com) > can't send me mails. Using 'authenticated' in 'accept from' directives > also didn't do the trick appropriately (it wasn't able to receive any > mails at all). > > Could you please help me out with this? > > Thanks, regards, > --- > --- > pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt" > pki mail.486.hu key "/etc/smtpd/mail.486.hu.key" > > table cred file:/etc/smtpd/cred > > listen on eth0 port 25 hostname mail.486.hu tls-require > listen on localhost port 25 hostname mail.486.hu tls-require > > # Storing mails arriving at the domain '486.hu'. > accept from any for domain 486.hu deliver to mbox > > # If the recipient is out of domain '486.hu', the mail is relayed through the > # smarthost using TLS and authentication, see 'cred' file. > accept from any for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth >
Re: forcing SMTP authentication
Hello Selmeci, Corection: I accept e-mail for delivery on one port, and for relay with authentication on another. It seems to me that you need to specify auth in the listen directive for requiring authentication for incoming connections. >From what I can tell you are authenticating with the smarthost, but not for incoming connections. Example from man smtpd.conf: listen on $lan_addr tls auth Sorry for the extra mail. Hope it helps! On Wed, Aug 21, 2019 at 07:39:42AM +0200, Selmeci Tamás wrote: > Hello! > > In brief: STARTTLS is enabled, there is a self-signed certificate for > encryption (better than nothing), smarthost is used to send mails from > my domain. My problem is that it still accepts SMTP connections (over > TLS) without authentication. What I want: > - anybody can send email to my email address in my domain (now it's > working); > - relaying through my SMTP server is allowed only after successful > authentication (now anybody can relay through my server without > authentication, e.g. to send spams). Authentication should be based on > regular /etc/passwd file (local users of the computer). In order to > hide the passwords, STARTTLS should be used; > > It's a rather simple configuration, but I wasn't able to set it up. If > I put 'auth' into the 'listen on' line, it needs authentication to any > access of the SMTP server, so other machines (e.g. from google.com) > can't send me mails. Using 'authenticated' in 'accept from' directives > also didn't do the trick appropriately (it wasn't able to receive any > mails at all). > > Could you please help me out with this? > > Thanks, regards, > --- > --- > pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt" > pki mail.486.hu key "/etc/smtpd/mail.486.hu.key" > > table cred file:/etc/smtpd/cred > > listen on eth0 port 25 hostname mail.486.hu tls-require > listen on localhost port 25 hostname mail.486.hu tls-require > > # Storing mails arriving at the domain '486.hu'. > accept from any for domain 486.hu deliver to mbox > > # If the recipient is out of domain '486.hu', the mail is relayed through the > # smarthost using TLS and authentication, see 'cred' file. > accept from any for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth >
Re: forcing SMTP authentication
Hello Selmeci, It seems to me that you need to specify auth in the listen directive for requiring authentication for incoming connections. >From what I can tell you are authenticating with the smarthost, but not for incoming connections. Example from man smtpd.conf: listen on $lan_addr tls auth Hope it helps! On Wed, Aug 21, 2019 at 07:39:42AM +0200, Selmeci Tamás wrote: > Hello! > > In brief: STARTTLS is enabled, there is a self-signed certificate for > encryption (better than nothing), smarthost is used to send mails from > my domain. My problem is that it still accepts SMTP connections (over > TLS) without authentication. What I want: > - anybody can send email to my email address in my domain (now it's > working); > - relaying through my SMTP server is allowed only after successful > authentication (now anybody can relay through my server without > authentication, e.g. to send spams). Authentication should be based on > regular /etc/passwd file (local users of the computer). In order to > hide the passwords, STARTTLS should be used; > > It's a rather simple configuration, but I wasn't able to set it up. If > I put 'auth' into the 'listen on' line, it needs authentication to any > access of the SMTP server, so other machines (e.g. from google.com) > can't send me mails. Using 'authenticated' in 'accept from' directives > also didn't do the trick appropriately (it wasn't able to receive any > mails at all). > > Could you please help me out with this? > > Thanks, regards, > --- > --- > pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt" > pki mail.486.hu key "/etc/smtpd/mail.486.hu.key" > > table cred file:/etc/smtpd/cred > > listen on eth0 port 25 hostname mail.486.hu tls-require > listen on localhost port 25 hostname mail.486.hu tls-require > > # Storing mails arriving at the domain '486.hu'. > accept from any for domain 486.hu deliver to mbox > > # If the recipient is out of domain '486.hu', the mail is relayed through the > # smarthost using TLS and authentication, see 'cred' file. > accept from any for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth >