Re: SASL auth only on port 25
On Wed, Jul 19, 2017 at 05:44:56PM +1000, Simon Wilson wrote: > >>>On Apr 27, 2017, at 12:45 PM, Simon Wilson > >>>wrote: > I rectified the order as Viktor suggested back in April, and all > now working to plan, including a client IP filter in the > check_client_access file for local servers to skip amavisd. So I > now have: > > smtpd_recipient_restrictions = > check_client_access hash:/etc/postfix/client_checks, > permit_mynetworks, > check_recipient_access hash:/etc/postfix/recipient_access.outside, > reject_unauth_destination, > check_sender_access hash:/etc/postfix/sender_access, > reject_unauth_pipelining, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, These two cause no harm, but they are unlikely to be used. > reject_rbl_client zen.spamhaus.org, > check_policy_service unix:private/policy-spf > permit > > I have a follow-up question on smtpd_relay_restrictions. At the > moment I have: > > smtpd_relay_restrictions = > > smtpd_recipient_restrictions = > check_client_access hash:/etc/postfix/client_checks, > (etc.) > > This is an install that has migrated from a Postfix install that > was pre-2.10, so for compatibility with what I had before it's all > still in smtpd_recipient_restrictions with an explicitly empty > smtpd_relay_restrictions. > > To move forward, what checks should I move into the relay > restrictions? For main.cf I recommend "reject_unauth_destination" only. Then explicitly override that for submission in master.cf, as such: mua_relay_restrictions = permit_sasl_authenticated, reject (Add other permit_* as you need, before reject.) Then as per the example master.cf you would have under submission: -o smtpd_relay_restrictions=$mua_relay_restrictions -o syslog_name=postfix/submission ... This way you will not accept anything for relay on port 25, and you'll require all users to authenticate on submission. If you have users submitting on port 25 you will have to tell them to change. You'll especially want to do this so you can have postscreen controlling access for mail exchange; postscreeen does not play nicely with MUAs, and end users' IP addresses are commonly found in Spamhaus Zen via PBL and/or XBL. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: SASL auth only on port 25
On Apr 27, 2017, at 12:45 PM, Simon Wilsonwrote: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, That check looks risky here. You're making access decisions based on an easily spoofable sender address, prior to blocking relaying with "reject_unauth_destination". That table had better not have any OK entries, but in any case find some way to put this below reject_unauth_destination. Got it - because someone could potentially say "Hey I've got MAIL FROM x@wherever" and if that email address is in that sender_access file, they could then use my server as a relay, because the 'reject_unauth_destination' check has not been evaluated. Thank you for the comment, I will rectify that. Simon. check_recipient_access hash:/etc/postfix/recipient_access.outside, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf permit -- Viktor. -- Simon Wilson I rectified the order as Viktor suggested back in April, and all now working to plan, including a client IP filter in the check_client_access file for local servers to skip amavisd. So I now have: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access.outside, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf permit I have a follow-up question on smtpd_relay_restrictions. At the moment I have: smtpd_relay_restrictions = smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, (etc.) This is an install that has migrated from a Postfix install that was pre-2.10, so for compatibility with what I had before it's all still in smtpd_recipient_restrictions with an explicitly empty smtpd_relay_restrictions. To move forward, what checks should I move into the relay restrictions? Simon -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
> On May 3, 2017, at 10:16 AM, @lbutlrwrote: > > -o syslog_name=submit-tls The recommended override, that is most likely to work well with log parsers is: -o syslog_name=postfix/submission or in multi-instance environments: -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/submission -- Viktor.
Re: SASL auth only on port 25
On 2017-04-27 (07:51 MDT), Simon Wilsonwrote: > > Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail > server as I get quite a few hits on the open ports from bot nets trying to > auth. Getting ready to migrate off it - more on that later. > > Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 > requires TLS and sasl auth for MUA submission. The server is functioning fine > for mail submission on 587 and MTA function on port 25, but I am seeing > saslauthd authentication failures in maillog e.g.: My recommendation is to take all mail submission from local users off port 25 and only allow those connections on 587. Leave port 25 only open for MTA traffic with optional TLS. > > Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from > unknown[45.123.221.70] > Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from > unknown[45.123.221.70] > Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established > from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 > bits) > Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for > simon/simonandkate.net: Bind to ldap server failed (invalid user/password or > insufficient access) (-7) > Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth failure: > [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] > [reason=Unknown] > Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication > failure: Password verification failed > Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: > unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication > failure > > and I don't know if it's because they are knocking on 587, or still knocking > on port 25 and trying to auth because I have my port 25 config wrong... :-/ Change the syslog for submission in master.cf by adding submission inet n - n - - smtpd [ … ] -o syslog_name=submit-tls -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Next steps to migrating, WAS Re: SASL auth only on port 25
permit_sasl_authenticated, ...so I can remove the one above, right, as it doesn't apply to port 25? There is no way that it can be met, as smtpd_sasl_auth_enable is set to NO by default. I assume it's harmless to leave, but won't serve any purpose? Think clearly, and trust cold hard logic over any answer this list may provide. :-) -- Viktor. P.S. If the above is not clear, yes your analysis is correct. - End message from Viktor Dukhovni- :-D Thanks Viktor. Always hard when you have to explain a punchline... ;-) Now I am confident I have a reasonable understanding of the Poostfix config, next steps for migrating to my CentOS7 new Postfix server... I have validated that the new server can send and receive, including tests for delivery to its local new cyrus-imapd - by command-line mailx to a SASL-verifiable local user, and to a non-verifiable one (which was rejected), from both localhost and other hosts on the local network. My migration plan is to break it down into stages: 1. Outbound SMTP first (COMPLETED) - set outbound SMTP (port 587) from Horde (on another server) to the new CentOS 7 / postfix server. As the new server also thinks it is destination for my domain names (in preparation for its new role), set it to deliver mail for local users back to the old server's cyrus-imapd for now over IP LMTP instead of to the new empty cyrus-imapd on local socket LMTP. In new server's main.cf: mailbox_transport = lmtp:server04:lmtp Old server's cyrus.conf: lmtp cmd="lmtpd -a" listen="lmtp" prefork=1 2. Then do inbound SMTP (postscreen!) Not done yet. 3. Once SMTP is all good on the new server, migrate mailboxes to cyrus-imapd on new server, point Horde to the new IMAP server, and set new postfix to deliver to local cyrus-imapd socket again. All sound reasonable? The big test will be inbound SMTP, but that will have to wait until I can get on to my router and change port forward rules. -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
> On Apr 28, 2017, at 8:54 AM, Simon Wilsonwrote: > permit_sasl_authenticated, > > ...so I can remove the one above, right, as it doesn't apply to port 25? > There is no way that it can be met, as smtpd_sasl_auth_enable is set to NO by > default. I assume it's harmless to leave, but won't serve any purpose? Think clearly, and trust cold hard logic over any answer this list may provide. :-) -- Viktor. P.S. If the above is not clear, yes your analysis is correct.
Re: SASL auth only on port 25
These settings in main.cf are just applying to port 25 smtpd, as smtpd_recipient_restrictions are separately applied to 587 in master.cf... smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, permit_sasl_authenticated, ...so I can remove the one above, right, as it doesn't apply to port 25? There is no way that it can be met, as smtpd_sasl_auth_enable is set to NO by default. I assume it's harmless to leave, but won't serve any purpose? check_recipient_access hash:/etc/postfix/recipient_access.outside, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf permit -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Date: Thu, 27 Apr 2017 13:01:16 -0400 From: Viktor Dukhovni <postfix-us...@dukhovni.org> Reply-To: Postfix users <postfix-users@postfix.org> Subject: Re: SASL auth only on port 25 To: Postfix users <postfix-users@postfix.org> On Apr 27, 2017, at 12:45 PM, Simon Wilson <si...@simonandkate.net> wrote: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, That check looks risky here. You're making access decisions based on an easily spoofable sender address, prior to blocking relaying with "reject_unauth_destination". That table had better not have any OK entries, but in any case find some way to put this below reject_unauth_destination. Got it - because someone could potentially say "Hey I've got MAIL FROM x@wherever" and if that email address is in that sender_access file, they could then use my server as a relay, because the 'reject_unauth_destination' check has not been evaluated. Thank you for the comment, I will rectify that. Simon. check_recipient_access hash:/etc/postfix/recipient_access.outside, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf permit -- Viktor. -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
> On Apr 27, 2017, at 12:45 PM, Simon Wilsonwrote: > > smtpd_recipient_restrictions = >check_client_access hash:/etc/postfix/client_checks, >permit_mynetworks, >permit_sasl_authenticated, >check_sender_access hash:/etc/postfix/sender_access, That check looks risky here. You're making access decisions based on an easily spoofable sender address, prior to blocking relaying with "reject_unauth_destination". That table had better not have any OK entries, but in any case find some way to put this below reject_unauth_destination. >check_recipient_access hash:/etc/postfix/recipient_access.outside, >reject_unauth_destination, >reject_unauth_pipelining, >reject_invalid_helo_hostname, >reject_non_fqdn_helo_hostname, >reject_non_fqdn_sender, >reject_unknown_sender_domain, >reject_non_fqdn_recipient, >reject_unknown_recipient_domain, >reject_rbl_client zen.spamhaus.org, >check_policy_service unix:private/policy-spf >permit -- Viktor.
Re: SASL auth only on port 25
- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Date: Thu, 27 Apr 2017 15:07:02 + From: Viktor Dukhovni <postfix-us...@dukhovni.org> Reply-To: postfix-users@postfix.org Subject: Re: SASL auth only on port 25 To: postfix-users@postfix.org On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote: 1. At the moment when a bot knocks on the postfix server I see postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on port 25 or 587? Sufficiently new versions of the stock Postfix master.cf file have: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # ... You would use that, but I believe this requires Postfix 2.4 or later, as in 2.3 the master.cf option overrides take place after logging is already configured, and this setting has no effect. 2. Is my config correct for my desired outcome (below)? extract from master.cf: # std port for incoming port 25. No SASL auth allowed # smtpd_sasl_auth_enable=no is default, but left here for clarity smtp inet n - n - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=no Looks fine. # submission port submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject In the stock Postfix 3.3-dev master.cf (commented out) submission entry, we have: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Most of these are applicable to a large range of releases, likely including what ships with your newer O/S. smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem An empty CAfile for the SMTP server typically works better. After all you're not (and typicall SHOULD NOT be) requesting client certs. Just make sure your cert file contains a complete chain, not just the leaf certificate. smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s Looks fine. The last setting is unnecessary. -- Viktor. - End message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Putting all of this advice and learning together with other reading, and the CentOS7 distribution master.cf file, I have set the following on my NEW Postfix 2.10 / CentOS7 server. The config I had on the old CentOS5 server had restrictions all in recipient checks, so at the moment I have replicated that. I have noticed varying opinions on that. The config all appears to work on internal network, but I can't test it fully (externally, open relay) until I redirect the port forwarding. Objective is port 25 MTA only, 587 SASL auth over TLS only. I've enabled postscreen in monitor mode at the moment. I've added a blank set smtpd_relay_restrictions as per the comments on postfix.org about that being added in 2.10+ and having it blank enabling previous behaviour for smtpd_recipients_restrictions. I think I have that correct. I'm hopeful that once I have postscreen enabled fully the amount of zombie knocking will decrease. Thanks Simon. master.cf: smtp inet n - n - 1 postscreen -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=no smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject main.cf: smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = mua_client_restrictions = mua_helo_restrictions = mua_sender_restrictions = smtpd_helo_required = yes disable_
Re: SASL auth only on port 25
> On Apr 27, 2017, at 12:21 PM, Michael Segelwrote: > > You raise a very valid point in some of your emails. > > There’s a lot of garbage “How To” when it comes to postfix and dovecot and > others… > > What are some good resources? (e-books, blogs, etc …) > > What made my debugging difficult is that the last time I set up a postfix > server was 5+ years ago, and I don’t have a lot of free time or cycles to > relearn postfix. > > Suggestions would be helpful. What's available are the somewhat dated (but still very useful) books, http://www.postfix.org/documentation.html, and the list archives. After reading either of the books, you can brush up on the newer features in one of the postfix.org tutorials. The most important things to peruse are: * http://www.postfix.org/ADDRESS_REWRITING_README.html * http://www.postfix.org/ADDRESS_CLASS_README.html * http://www.postfix.org/OVERVIEW.html * http://www.postfix.org/master.5.html The top portion of http://www.postfix.org/postconf.5.html covers general main.cf syntax. After that, SASL_README, TLS_README, SOHO_README, ... cover more focused topics. Be especially weary of third-party HOWTOs that recommend fashionably "strong" TLS settings. These are most likely to be counterproductive. -- Viktor.
Re: SASL auth only on port 25
- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Date: Thu, 27 Apr 2017 12:00:22 -0400 From: Viktor Dukhovni <postfix-us...@dukhovni.org> Reply-To: Postfix users <postfix-users@postfix.org> Subject: Re: SASL auth only on port 25 To: Postfix users <postfix-users@postfix.org> On Apr 27, 2017, at 11:54 AM, Simon Wilson <si...@simonandkate.net> wrote: # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions I cannot find much about these variables - do these just set to what has already been loaded from those sections of main.cf, the idea being they can be appended to here? The idea is that you can configure these "made up" parameter names in main.cf, instead of bloating master.cf with complex settings. If you don't define them, they'll default "empty", which is fine. -- Viktor. - End message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Got it. Thanks Viktor. Simon -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
> On Apr 27, 2017, at 11:54 AM, Simon Wilsonwrote: > >> # -o smtpd_client_restrictions=$mua_client_restrictions >># -o smtpd_helo_restrictions=$mua_helo_restrictions >># -o smtpd_sender_restrictions=$mua_sender_restrictions >> >>> > I cannot find much about these variables - do these just set to what has > already been loaded from those sections of main.cf, the idea being they can > be appended to here? The idea is that you can configure these "made up" parameter names in main.cf, instead of bloating master.cf with complex settings. If you don't define them, they'll default "empty", which is fine. -- Viktor.
Re: SASL auth only on port 25
# -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions I cannot find much about these variables - do these just set to what has already been loaded from those sections of main.cf, the idea being they can be appended to here? Simon. ___ Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Date: Thu, 27 Apr 2017 15:07:02 + From: Viktor Dukhovni <postfix-us...@dukhovni.org> Reply-To: postfix-users@postfix.org Subject: Re: SASL auth only on port 25 To: postfix-users@postfix.org On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote: 1. At the moment when a bot knocks on the postfix server I see postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on port 25 or 587? Sufficiently new versions of the stock Postfix master.cf file have: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # ... You would use that, but I believe this requires Postfix 2.4 or later, as in 2.3 the master.cf option overrides take place after logging is already configured, and this setting has no effect. 2. Is my config correct for my desired outcome (below)? extract from master.cf: # std port for incoming port 25. No SASL auth allowed # smtpd_sasl_auth_enable=no is default, but left here for clarity smtp inet n - n - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=no Looks fine. # submission port submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject In the stock Postfix 3.3-dev master.cf (commented out) submission entry, we have: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Most of these are applicable to a large range of releases, likely including what ships with your newer O/S. smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem An empty CAfile for the SMTP server typically works better. After all you're not (and typicall SHOULD NOT be) requesting client certs. Just make sure your cert file contains a complete chain, not just the leaf certificate. smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s Looks fine. The last setting is unnecessary. -- Viktor. - End message from Viktor Dukhovni <postfix-us...@dukhovni.org> - Lots of great information in there, thanks Viktor. Shame about the logfile entry only being in 2.4 and later, but I'm really only 'fixing' this old box prior to going live on the new box and understanding what it does, so that will work fine on the new Postfix config. Thanks all for responses. Simon -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 requires TLS and sasl auth for MUA submission. The server is functioning fine for mail submission on 587 and MTA function on port 25, but I am seeing saslauthd authentication failures in maillog e.g.: Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from unknown[45.123.221.70] Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from unknown[45.123.221.70] Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for simon/simonandkate.net: Bind to ldap server failed (invalid user/password or insufficient access) (-7) Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth failure: [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] [reason=Unknown] Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication failure: Password verification failed Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication failure 1. At the moment when a bot knocks on the postfix server I see postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on port 25 or 587? In master.cf submission entry: -o syslog_name=postfix/submission Aha! Just what I needed... thanks Noel. 2. Is my config correct for my desired outcome (below)? Looks OK, but the "Bind to ldap server failed" errors would seem to be a config error in your saslauthd. -- Noel Jones That's the knocker trying to auth as simon (not a bad guess given my domain name and email address, which is guaranteed to be out there on bot lists somewhere) and failing, so the saslauth fails. I assume so anyway... if I auth to 587 as me properly it all works fine and binds to LDAP no problems. testsaslauthd all works, and only auth'd users can submit mail. Thanks. I'm about to migrate mail to a new server with postfix on CentOS 7, but I need to make sure I understand this better and have it right before changing, not just blindly changing things. Would appreciate some advice if anyone would see fit to comment. Thanks Simon. extract from master.cf: # std port for incoming port 25. No SASL auth allowed # smtpd_sasl_auth_enable=no is default, but left here for clarity smtp inet n - n - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=no # submission port submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject extract from main.cf: # Enable sasl auth. # Master.cf sets this separately for 25 and 587, so commented out here # smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s - End message from Noel Jones- -- Simon Wilson M: 0400 12 11 16
Re: SASL auth only on port 25
On Thu, Apr 27, 2017 at 09:56:39AM -0500, Noel Jones wrote: > Looks OK, but the "Bind to ldap server failed" errors would seem to > be a config error in your saslauthd. Not necessarily. One common method of varifying user passwords is to attempt to "bind" to LDAP with the username and password in question. -- Viktor.
Re: SASL auth only on port 25
On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote: > 1. At the moment when a bot knocks on the postfix server I see > postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on > port 25 or 587? Sufficiently new versions of the stock Postfix master.cf file have: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # ... You would use that, but I believe this requires Postfix 2.4 or later, as in 2.3 the master.cf option overrides take place after logging is already configured, and this setting has no effect. > 2. Is my config correct for my desired outcome (below)? > > extract from master.cf: > > # std port for incoming port 25. No SASL auth allowed > # smtpd_sasl_auth_enable=no is default, but left here for clarity > smtp inet n - n - - smtpd > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=no Looks fine. > > # submission port > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject In the stock Postfix 3.3-dev master.cf (commented out) submission entry, we have: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Most of these are applicable to a large range of releases, likely including what ships with your newer O/S. > smtpd_sasl_local_domain = > broken_sasl_auth_clients = yes > > smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem > smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem > smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem An empty CAfile for the SMTP server typically works better. After all you're not (and typicall SHOULD NOT be) requesting client certs. Just make sure your cert file contains a complete chain, not just the leaf certificate. > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_loglevel = 1 > smtpd_tls_session_cache_timeout = 3600s Looks fine. The last setting is unnecessary. -- Viktor.
Re: SASL auth only on port 25
On 4/27/2017 8:51 AM, Simon Wilson wrote: > Port 25 is for MTA unauthenticated traffic, with optional TLS, and > 587 requires TLS and sasl auth for MUA submission. The server is > functioning fine for mail submission on 587 and MTA function on port > 25, but I am seeing saslauthd authentication failures in maillog e.g.: > > Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from > unknown[45.123.221.70] > Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS > connection from unknown[45.123.221.70] > Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection > established from unknown[45.123.221.70]: TLSv1 with cipher > DHE-RSA-AES256-SHA (256/256 bits) > Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for > simon/simonandkate.net: Bind to ldap server failed (invalid > user/password or insufficient access) (-7) > Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth > failure: [user=simon] [service=smtp] [realm=simonandkate.net] > [mech=ldap] [reason=Unknown] > Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL > authentication failure: Password verification failed > Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: > unknown[45.123.221.70]: SASL PLAIN authentication failed: > authentication failure > > 1. At the moment when a bot knocks on the postfix server I see > postfix/smtpd[pid] etc. in maillog: can that message show if the > knock is on port 25 or 587? In master.cf submission entry: -o syslog_name=postfix/submission > 2. Is my config correct for my desired outcome (below)? Looks OK, but the "Bind to ldap server failed" errors would seem to be a config error in your saslauthd. -- Noel Jones > > I'm about to migrate mail to a new server with postfix on CentOS 7, > but I need to make sure I understand this better and have it right > before changing, not just blindly changing things. > > Would appreciate some advice if anyone would see fit to comment. > Thanks > Simon. > > > > extract from master.cf: > > # std port for incoming port 25. No SASL auth allowed > # smtpd_sasl_auth_enable=no is default, but left here for clarity > smtp inet n - n - - smtpd > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=no > > # submission port > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > extract from main.cf: > > # Enable sasl auth. > # Master.cf sets this separately for 25 and 587, so commented out here > # smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = > broken_sasl_auth_clients = yes > > smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem > smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem > smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem > > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_loglevel = 1 > smtpd_tls_session_cache_timeout = 3600s >
Re: SASL auth only on port 25
I’d upgrade the version of Centos 5 is kind of old. > On Apr 27, 2017, at 8:51 AM, Simon Wilsonwrote: > > Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail > server as I get quite a few hits on the open ports from bot nets trying to > auth. Getting ready to migrate off it - more on that later. > > Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 > requires TLS and sasl auth for MUA submission. The server is functioning fine > for mail submission on 587 and MTA function on port 25, but I am seeing > saslauthd authentication failures in maillog e.g.: > > Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from > unknown[45.123.221.70] > Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from > unknown[45.123.221.70] > Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established > from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 > bits) > Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for > simon/simonandkate.net: Bind to ldap server failed (invalid user/password or > insufficient access) (-7) > Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth failure: > [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] > [reason=Unknown] > Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication > failure: Password verification failed > Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: > unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication > failure > > and I don't know if it's because they are knocking on 587, or still knocking > on port 25 and trying to auth because I have my port 25 config wrong... :-/ > > I have a couple of questions: > > 1. At the moment when a bot knocks on the postfix server I see > postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on > port 25 or 587? > 2. Is my config correct for my desired outcome (below)? > > I'm about to migrate mail to a new server with postfix on CentOS 7, but I > need to make sure I understand this better and have it right before changing, > not just blindly changing things. > > Would appreciate some advice if anyone would see fit to comment. > Thanks > Simon. > > > > extract from master.cf: > > # std port for incoming port 25. No SASL auth allowed > # smtpd_sasl_auth_enable=no is default, but left here for clarity > smtp inet n - n - - smtpd >-o smtpd_tls_security_level=may >-o smtpd_sasl_auth_enable=no > > # submission port > submission inet n - n - - smtpd >-o smtpd_tls_security_level=encrypt >-o smtpd_sasl_auth_enable=yes >-o smtpd_client_restrictions=permit_sasl_authenticated,reject > > extract from main.cf: > > # Enable sasl auth. > # Master.cf sets this separately for 25 and 587, so commented out here > # smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = > broken_sasl_auth_clients = yes > > smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem > smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem > smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem > > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_loglevel = 1 > smtpd_tls_session_cache_timeout = 3600s > > -- > Simon Wilson > M: 0400 12 11 16 >
SASL auth only on port 25
Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail server as I get quite a few hits on the open ports from bot nets trying to auth. Getting ready to migrate off it - more on that later. Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 requires TLS and sasl auth for MUA submission. The server is functioning fine for mail submission on 587 and MTA function on port 25, but I am seeing saslauthd authentication failures in maillog e.g.: Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from unknown[45.123.221.70] Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from unknown[45.123.221.70] Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for simon/simonandkate.net: Bind to ldap server failed (invalid user/password or insufficient access) (-7) Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth failure: [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] [reason=Unknown] Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication failure: Password verification failed Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication failure and I don't know if it's because they are knocking on 587, or still knocking on port 25 and trying to auth because I have my port 25 config wrong... :-/ I have a couple of questions: 1. At the moment when a bot knocks on the postfix server I see postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on port 25 or 587? 2. Is my config correct for my desired outcome (below)? I'm about to migrate mail to a new server with postfix on CentOS 7, but I need to make sure I understand this better and have it right before changing, not just blindly changing things. Would appreciate some advice if anyone would see fit to comment. Thanks Simon. extract from master.cf: # std port for incoming port 25. No SASL auth allowed # smtpd_sasl_auth_enable=no is default, but left here for clarity smtp inet n - n - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=no # submission port submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject extract from main.cf: # Enable sasl auth. # Master.cf sets this separately for 25 and 587, so commented out here # smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s -- Simon Wilson M: 0400 12 11 16