Re: Configure open relay on specific port
Patric Falinder skrev 2012-11-22 10:02: Hi, I need to configure Postfix to be an open relay on a specific port, lets say 3326. I already have Postfix configured like a normal mailserver that requires authentication etc. but I need it to not ask for authentication on port 3326. How do I do this? I know this isn't safe but this port wont be open for the internet, just specific IP's that I specify on my router, so I wont be a target for spammers. I already have port 3325 open just like port 25, I did that by just adding this to /etc/services: smtp2 3325/tcp and in /etc/postfix/master.cf: smtp2 inet n - - - - smtpd So I can do the same for port 3326 but I don't know how to disable the authentication part. How can I do this? Thanks, -Patric It would actually be easier if there's a way to accept hostnames (mail.example.com) directly on the standard ports without authentication. I use 'mynetworks' to allow different IP numbers to send mail without authenticating but it doesn't support domain-names/hostnames. Or maybe there's another way it should be done? All I actually need to do is to allow a dyndns-adress to send without authentication.
Re: Configure open relay on specific port
Patric Falinder: All I actually need to do is to allow a dyndns-adress to send without authentication. And why can't the SMTP client be bothered to authenticate? Did you put your printer/scanner on the Internet? Wietse
Re: Configure open relay on specific port
Am 22.11.2012 10:02, schrieb Patric Falinder: I need to configure Postfix to be an open relay on a specific port, lets say 3326. I already have Postfix configured like a normal mailserver that requires authentication etc. but I need it to not ask for authentication on port 3326. How do I do this? I know this isn't safe but this port wont be open for the internet, just specific IP's that I specify on my router, so I wont be a target for spammers so why do you not put that specific ip-addresses in mynetworks? signature.asc Description: OpenPGP digital signature
Re: Configure open relay on specific port
Wietse Venema skrev 2012-11-22 14:53: Patric Falinder: All I actually need to do is to allow a dyndns-adress to send without authentication. And why can't the SMTP client be bothered to authenticate? Did you put your printer/scanner on the Internet? Wietse Some of our customers business-systems are for some reason programmed so they're not able to authenticate. Now this hasn't been a problem for any of them because they've had a local mailserver (Exchange) where we have configured it so it didn't have to authenticate. But now when we have migrated all their mail to our servers and shutdown their old one, they can't use that anymore and need to use ours. We've asked the support for the software why it is like this and they pretty much doesn't have an answer, they will probably implement it later on hopefully. So it's pretty urgent for them to get this working as they have a lot of business crucial emails that need to be delivered. Also they have a dynamic IP so I was thinking I could add their dyndns-adress to 'mynetworks' but it only takes IP addresses, so I will have to manually add their new IP when/if they get a new one and by then lots of emails might have been lost due to not being delivered. Right now I have added their IP to 'mynetworks' and it's working fine for now, but it's not reliable as they have a dynamic IP like I said. So either I need to be able to add a hostname/domain instead of an IP to be able to send mail without authenticating or have an open relay on a non-standard port where I then configure in the router who can access it from outside. Or if you guys might have a better solution? Thanks, -Patric
Re: Configure open relay on specific port
Am 22.11.2012 15:06, schrieb Patric Falinder: Right now I have added their IP to 'mynetworks' and it's working fine for now, but it's not reliable as they have a dynamic IP like I said so make a different open-relay port is the same problem So either I need to be able to add a hostname/domain instead of an IP to be able to send mail without authenticating or have an open relay on a non-standard port where I then configure in the router who can access it from outside and how does this solve the dynamic IP? Or if you guys might have a better solution? yes, they have to setup a postfix relay on their internal network - any other solution in context of dynamic IP's is pure crap and dangerous relayhost = [your-smtp-server]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd cat /etc/postfix/sasl_passwd # CHANGES: postmap /etc/postfix/sasl_passwd [your-smtp-server]:587 username:password signature.asc Description: OpenPGP digital signature
Re: Configure open relay on specific port
Patric Falinder: All I actually need to do is to allow a dyndns-adress to send without authentication. Wietse: And why can't the SMTP client be bothered to authenticate? Patric Falinder: Some of our customers business-systems are for some reason programmed so they're not able to authenticate. Now this hasn't been a problem for any of them because they've had a local mailserver (Exchange) where we have configured it so it didn't have to authenticate. But now when we have migrated all their mail to our servers and shutdown their old one, they can't use that anymore and need to use ours. Hostname lookup is not a solution. Due to caching effects there simply is no guarantee that the name will always exist and resolve to the current client address BEFORE the client connects to you. I deplore the lack of planning that went into this migration; it would have been easy enough to provide an SMTP proxy for off-site locations that authenticates with SASL or TLS certificate. The whole thing could be done in a few lines of Perl or Python. Wietse
Re: Configure open relay on specific port
Wietse Venema skrev 2012-11-22 15:22: Patric Falinder: All I actually need to do is to allow a dyndns-adress to send without authentication. Wietse: And why can't the SMTP client be bothered to authenticate? Patric Falinder: Some of our customers business-systems are for some reason programmed so they're not able to authenticate. Now this hasn't been a problem for any of them because they've had a local mailserver (Exchange) where we have configured it so it didn't have to authenticate. But now when we have migrated all their mail to our servers and shutdown their old one, they can't use that anymore and need to use ours. Hostname lookup is not a solution. Due to caching effects there simply is no guarantee that the name will always exist and resolve to the current client address BEFORE the client connects to you. I deplore the lack of planning that went into this migration; it would have been easy enough to provide an SMTP proxy for off-site locations that authenticates with SASL or TLS certificate. The whole thing could be done in a few lines of Perl or Python. Wietse So it's not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open relay? This is easily done in Exchange and I would guess it's possible in Postfix too, I just don't know how. I know the complications of having it configured this way so I don't need to be told that it's dangerous etc. because I'm aware of the dangers. Thanks, -Patric
Re: Configure open relay on specific port
frist: do NOT reply off-list! Am 22.11.2012 15:56, schrieb Patric Falinder: Reindl Harald skrev 2012-11-22 15:20: Am 22.11.2012 15:06, schrieb Patric Falinder: Right now I have added their IP to 'mynetworks' and it's working fine for now, but it's not reliable as they have a dynamic IP like I said so make a different open-relay port is the same problem How so? If I have an open relay I don't have to specify the IP in 'mynetworks' and don't have to care to change it if their IP is updated as I will fix this on the firewall so how the hell does it make a difference? you have to configure SOMETHING in any case the idea of a open-relay for dyn-addresses is crap yes, they have to setup a postfix relay on their internal network - any other solution in context of dynamic IP's is pure crap and dangerous relayhost = [your-smtp-server]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd cat /etc/postfix/sasl_passwd # CHANGES: postmap /etc/postfix/sasl_passwd [your-smtp-server]:587 username:password Setting up a server just for that is not an option. so kiss the customer goodbye as long he can not provide a solution with a relay or force to use software which is designed to work over WAN I know the complications of having an open relay but I really don't see the problem if I specify at a firewall level which IP's have access to it. with a static IP on the clients side i agree BUT with dynamic IP's this is only a bad joke So technically it's not an open relay as there's only specified IP's that has access to it in the end. And the reason I'm going to specify it on the firewall is because I can specify at hostname-level who's having access to it from the outside, I can't do that in Postfix from where do you take the hostname? PTR? sorry but this is naive * i control the PTR for my IP's * i can setup whatever PTR i like for whatever of my IP's there is no clean solution force the customer to fix HIS side or kiss him goodbye! signature.asc Description: OpenPGP digital signature
Re: Configure open relay on specific port
* Patric Falinder patric.falin...@omg.nu: So it's not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open relay? Well of course: -o smtpd_recipient_restrictions=... -o ... -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: Configure open relay on specific port
Ralf Hildebrandt skrev 2012-11-22 16:25: * Patric Falinder patric.falin...@omg.nu: So it's not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open relay? Well of course: -o smtpd_recipient_restrictions=... -o ... Thank you! However I had to use: -o smtpd_recipient_restrictions=permit,reject It works but I get this error: warning: restriction `reject' after `permit' is ignored But if I use just permit it wont work at all. Any ideas? Thanks, -Patric
Re: Configure open relay on specific port
On Thu, Nov 22, 2012 at 11:43:51AM +0100, Patric Falinder wrote: Patric Falinder skrev 2012-11-22 10:02: I need to configure Postfix to be an open relay on a specific port, lets say 3326. I already have Postfix configured like a normal mailserver that requires authentication etc. but I need it to not ask for authentication on port 3326. How do I do this? I know this isn't safe but this port wont be open for the internet, just specific IP's that I specify on my router, so I wont be a target for spammers. Even if safe, it is far from ideal. I already have port 3325 open just like port 25, I did that What is the purpose of this smtpd on 3325? by just adding this to /etc/services: smtp2 3325/tcp (I don't edit services(5). I let IANA handle that. It only gives resolution of the port by name. You could just as well use the number.) and in /etc/postfix/master.cf: smtp2 inet n - - - - smtpd So I can do the same for port 3326 but I don't know how to disable the authentication part. How can I do this? It would actually be easier if there's a way to accept hostnames (mail.example.com) directly on the standard ports without authentication. This is doable (check_client_access) but not for you, read on. I use 'mynetworks' to allow different IP numbers to send mail without authenticating but it doesn't support domain-names/ hostnames. Or maybe there's another way it should be done? ... And finally, the real goal is stated: All I actually need to do is to allow a dyndns-adress to send without authentication. (You really should have started with this.) There are lots of workarounds available to SASL-allergic admins. Mine, years ago, was to set up a site-to-site openvpn(8) tunnel, adding the VPN IP address to mynetworks. This has the additional benefit (FSVO benefit) of hiding the real IP address in the headers. Postfix only sees the VPN IP. check_client_access won't work because it looks up only forward- confirmed reverse DNS names. Your dynamic DNS probably only sets a forward name, not the PTR for the IP address. That said, there are a few thousand ways you might manage that, as well. An entry in /etc/hosts(5) for the dynamic address, in most cases, will bypass the PTR lookup. A simple script to edit your /etc/hosts file when the dynamic host changes its address might enable check_client_access. Your script might just as well update a hash: file for mynetworks. And another solution is to reconsider your SASL antipathy. It's well-documented and not that hard to set up. http://www.postfix.org/SOHO_README.html#client_sasl_enable -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Configure open relay on specific port
Am 22.11.2012 16:32, schrieb Patric Falinder: Ralf Hildebrandt skrev 2012-11-22 16:25: * Patric Falinder patric.falin...@omg.nu: So it's not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open relay? Well of course: -o smtpd_recipient_restrictions=... -o ... Thank you! However I had to use: -o smtpd_recipient_restrictions=permit,reject It works but I get this error: warning: restriction `reject' after `permit' is ignored But if I use just permit it wont work at all. Any ideas? Thanks, -Patric for your dynamic ip problem , what about pop before smtp etc or some port knocking scripting etc, that may give a small piece of security however i dont think open relays are a good idea at all someday someone will abuse it Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: Configure open relay on specific port
Patric Falinder: Ralf Hildebrandt skrev 2012-11-22 16:25: * Patric Falinder patric.falin...@omg.nu: So it's not possible to have Postfix listening on another port with different settings, like skipping the authentication bit and have it act like an open relay? Well of course: -o smtpd_recipient_restrictions=... -o ... Thank you! However I had to use: -o smtpd_recipient_restrictions=permit,reject In the next release, Postfix will require that a reject-like restriction appears BEFORE permit. Wietse
