Re: SASL auth only on port 25

[/dev/rob0]

On Wed, Jul 19, 2017 at 05:44:56PM +1000, Simon Wilson wrote:
> >>>On Apr 27, 2017, at 12:45 PM, Simon Wilson 
> >>> wrote:
> I rectified the order as Viktor suggested back in April, and all 
> now working to plan, including a client IP filter in the 
> check_client_access file for local servers to skip amavisd. So I 
> now have:
> 
> smtpd_recipient_restrictions =
> check_client_access hash:/etc/postfix/client_checks,
> permit_mynetworks,
> check_recipient_access hash:/etc/postfix/recipient_access.outside,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/sender_access,
> reject_unauth_pipelining,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,

> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,

These two cause no harm, but they are unlikely to be used.

> reject_rbl_client zen.spamhaus.org,
> check_policy_service unix:private/policy-spf
> permit
> 
> I have a follow-up question on smtpd_relay_restrictions. At the 
> moment I have:
> 
> smtpd_relay_restrictions =
> 
> smtpd_recipient_restrictions =
> check_client_access hash:/etc/postfix/client_checks,
> (etc.)
> 
> This is an install that has migrated from a Postfix install that 
> was pre-2.10, so for compatibility with what I had before it's all 
> still in smtpd_recipient_restrictions with an explicitly empty 
> smtpd_relay_restrictions.
> 
> To move forward, what checks should I move into the relay 
> restrictions?

For main.cf I recommend "reject_unauth_destination" only.  Then 
explicitly override that for submission in master.cf, as such:

mua_relay_restrictions = permit_sasl_authenticated, reject

(Add other permit_* as you need, before reject.)  Then as per the 
example master.cf you would have under submission:

-o smtpd_relay_restrictions=$mua_relay_restrictions
-o syslog_name=postfix/submission
...

This way you will not accept anything for relay on port 25, and 
you'll require all users to authenticate on submission.  If you have 
users submitting on port 25 you will have to tell them to change.
You'll especially want to do this so you can have postscreen 
controlling access for mail exchange; postscreeen does not play 
nicely with MUAs, and end users' IP addresses are commonly found in 
Spamhaus Zen via PBL and/or XBL.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: SASL auth only on port 25

[Simon Wilson]

On Apr 27, 2017, at 12:45 PM, Simon Wilson  wrote:

smtpd_recipient_restrictions =
  check_client_access hash:/etc/postfix/client_checks,
  permit_mynetworks,
  permit_sasl_authenticated,
  check_sender_access hash:/etc/postfix/sender_access,


That check looks risky here.  You're making access decisions based on
an easily spoofable sender address, prior to blocking relaying with
"reject_unauth_destination".  That table had better not have any
OK entries, but in any case find some way to put this below
reject_unauth_destination.



Got it - because someone could potentially say "Hey I've got MAIL  
FROM x@wherever" and if that email address is in that  
sender_access file, they could then use my server as a relay,  
because the 'reject_unauth_destination' check has not been evaluated.


Thank you for the comment, I will rectify that.

Simon.


  check_recipient_access hash:/etc/postfix/recipient_access.outside,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_rbl_client zen.spamhaus.org,
  check_policy_service unix:private/policy-spf
  permit


--
Viktor.


--
Simon Wilson


I rectified the order as Viktor suggested back in April, and all now  
working to plan, including a client IP filter in the  
check_client_access file for local servers to skip amavisd. So I now  
have:


smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
permit_mynetworks,
check_recipient_access hash:/etc/postfix/recipient_access.outside,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_access,
reject_unauth_pipelining,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:private/policy-spf
permit

I have a follow-up question on smtpd_relay_restrictions. At the moment I have:

smtpd_relay_restrictions =

smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
(etc.)

This is an install that has migrated from a Postfix install that was  
pre-2.10, so for compatibility with what I had before it's all still  
in smtpd_recipient_restrictions with an explicitly empty  
smtpd_relay_restrictions.


To move forward, what checks should I move into the relay restrictions?

Simon

--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Viktor Dukhovni]

> On May 3, 2017, at 10:16 AM, @lbutlr  wrote:
> 
> -o syslog_name=submit-tls

The recommended override, that is most likely to work well with log parsers is:

-o syslog_name=postfix/submission

or in multi-instance environments:

-o 
syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/submission

-- 
Viktor.

Re: SASL auth only on port 25

[@lbutlr]

On 2017-04-27 (07:51 MDT), Simon Wilson  wrote:
> 
> Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail 
> server as I get quite a few hits on the open ports from bot nets trying to 
> auth. Getting ready to migrate off it - more on that later.
> 
> Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 
> requires TLS and sasl auth for MUA submission. The server is functioning fine 
> for mail submission on 587 and MTA function on port 25, but I am seeing 
> saslauthd authentication failures in maillog e.g.:

My recommendation is to take all mail submission from local users off port 25 
and only allow those connections on 587. Leave port 25 only open for MTA 
traffic with optional TLS.

> 
> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from 
> unknown[45.123.221.70]
> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from 
> unknown[45.123.221.70]
> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established 
> from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
> bits)
> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for 
> simon/simonandkate.net: Bind to ldap server failed (invalid user/password or 
> insufficient access) (-7)
> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth failure: 
> [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] 
> [reason=Unknown]
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication 
> failure: Password verification failed
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: 
> unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication 
> failure
> 
> and I don't know if it's because they are knocking on 587, or still knocking 
> on port 25 and trying to auth because I have my port 25 config wrong... :-/

Change the syslog for submission in master.cf by adding

submission inet  n   -   n   -   -   smtpd
 [ … ]
-o syslog_name=submit-tls



-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Next steps to migrating, WAS Re: SASL auth only on port 25

[Simon Wilson]

 permit_sasl_authenticated,


...so I can remove the one above, right, as it doesn't apply to  
port 25? There is no way that it can be met, as  
smtpd_sasl_auth_enable is set to NO by default. I assume it's  
harmless to leave, but won't serve any purpose?


Think clearly, and trust cold hard logic over any answer this list  
may provide. :-)


--
Viktor.

P.S.  If the above is not clear, yes your analysis is correct.



- End message from Viktor Dukhovni  -

:-D

Thanks Viktor. Always hard when you have to explain a punchline... ;-)

Now I am confident I have a reasonable understanding of the Poostfix  
config, next steps for migrating to my CentOS7 new Postfix server...


I have validated that the new server can send and receive, including  
tests for delivery to its local new cyrus-imapd - by command-line  
mailx to a SASL-verifiable local user, and to a non-verifiable one  
(which was rejected), from both localhost and other hosts on the local  
network.


My migration plan is to break it down into stages:

1. Outbound SMTP first (COMPLETED) - set outbound SMTP (port 587) from  
Horde (on another server) to the new CentOS 7 / postfix server. As the  
new server also thinks it is destination for my domain names (in  
preparation for its new role), set it to deliver mail for local users  
back to the old server's cyrus-imapd for now over IP LMTP instead of  
to the new empty cyrus-imapd on local socket LMTP.


In new server's main.cf:
mailbox_transport = lmtp:server04:lmtp

Old server's cyrus.conf:
lmtp cmd="lmtpd -a" listen="lmtp" prefork=1

2. Then do inbound SMTP (postscreen!) Not done yet.

3. Once SMTP is all good on the new server, migrate mailboxes to  
cyrus-imapd on new server, point Horde to the new IMAP server, and set  
new postfix to deliver to local cyrus-imapd socket again.


All sound reasonable?

The big test will be inbound SMTP, but that will have to wait until I  
can get on to my router and change port forward rules.





--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Viktor Dukhovni]

> On Apr 28, 2017, at 8:54 AM, Simon Wilson  wrote:
> 
  permit_sasl_authenticated,
> 
> ...so I can remove the one above, right, as it doesn't apply to port 25? 
> There is no way that it can be met, as smtpd_sasl_auth_enable is set to NO by 
> default. I assume it's harmless to leave, but won't serve any purpose?

Think clearly, and trust cold hard logic over any answer this list may provide. 
:-)

-- 
Viktor.

P.S.  If the above is not clear, yes your analysis is correct.

Re: SASL auth only on port 25

[Simon Wilson]

These settings in main.cf are just applying to port 25 smtpd, as  
smtpd_recipient_restrictions are separately applied to 587 in  
master.cf...



smtpd_recipient_restrictions =
  check_client_access hash:/etc/postfix/client_checks,
  permit_mynetworks,
  permit_sasl_authenticated,


...so I can remove the one above, right, as it doesn't apply to port  
25? There is no way that it can be met, as smtpd_sasl_auth_enable is  
set to NO by default. I assume it's harmless to leave, but won't serve  
any purpose?



  check_recipient_access hash:/etc/postfix/recipient_access.outside,
  reject_unauth_destination,
  check_sender_access hash:/etc/postfix/sender_access,
  reject_unauth_pipelining,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_rbl_client zen.spamhaus.org,
  check_policy_service unix:private/policy-spf
  permit





--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Simon Wilson]

- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> -
Date: Thu, 27 Apr 2017 13:01:16 -0400
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: Postfix users <postfix-users@postfix.org>
 Subject: Re: SASL auth only on port 25
  To: Postfix users <postfix-users@postfix.org>



On Apr 27, 2017, at 12:45 PM, Simon Wilson <si...@simonandkate.net> wrote:

smtpd_recipient_restrictions =
   check_client_access hash:/etc/postfix/client_checks,
   permit_mynetworks,
   permit_sasl_authenticated,
   check_sender_access hash:/etc/postfix/sender_access,


That check looks risky here.  You're making access decisions based on
an easily spoofable sender address, prior to blocking relaying with
"reject_unauth_destination".  That table had better not have any
OK entries, but in any case find some way to put this below
reject_unauth_destination.



Got it - because someone could potentially say "Hey I've got MAIL FROM  
x@wherever" and if that email address is in that sender_access  
file, they could then use my server as a relay, because the  
'reject_unauth_destination' check has not been evaluated.


Thank you for the comment, I will rectify that.

Simon.


   check_recipient_access hash:/etc/postfix/recipient_access.outside,
   reject_unauth_destination,
   reject_unauth_pipelining,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_rbl_client zen.spamhaus.org,
   check_policy_service unix:private/policy-spf
   permit


--
Viktor.


--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Viktor Dukhovni]

> On Apr 27, 2017, at 12:45 PM, Simon Wilson  wrote:
> 
> smtpd_recipient_restrictions =
>check_client_access hash:/etc/postfix/client_checks,
>permit_mynetworks,
>permit_sasl_authenticated,
>check_sender_access hash:/etc/postfix/sender_access,

That check looks risky here.  You're making access decisions based on
an easily spoofable sender address, prior to blocking relaying with
"reject_unauth_destination".  That table had better not have any
OK entries, but in any case find some way to put this below
reject_unauth_destination.

>check_recipient_access hash:/etc/postfix/recipient_access.outside,
>reject_unauth_destination,
>reject_unauth_pipelining,
>reject_invalid_helo_hostname,
>reject_non_fqdn_helo_hostname,
>reject_non_fqdn_sender,
>reject_unknown_sender_domain,
>reject_non_fqdn_recipient,
>reject_unknown_recipient_domain,
>reject_rbl_client zen.spamhaus.org,
>check_policy_service unix:private/policy-spf
>permit

-- 
Viktor.

Re: SASL auth only on port 25

[Simon Wilson]

- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> -
Date: Thu, 27 Apr 2017 15:07:02 +
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: postfix-users@postfix.org
 Subject: Re: SASL auth only on port 25
  To: postfix-users@postfix.org



On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:


1. At the moment when a bot knocks on the postfix server I see
postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
port 25 or 587?


Sufficiently new versions of the stock Postfix master.cf file have:

#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
# ...

You would use that, but I believe this requires Postfix 2.4 or
later, as in 2.3 the master.cf option overrides take place after
logging is already configured, and this setting has no effect.


2. Is my config correct for my desired outcome (below)?

extract from master.cf:

# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp  inet  n   -   n   -   -   smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no


Looks fine.



# submission port
submission inet n   -   n   -   -   smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject


In the stock Postfix 3.3-dev master.cf (commented out) submission
entry, we have:

#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Most of these are applicable to a large range of releases, likely
including what ships with your newer O/S.


smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem


An empty CAfile for the SMTP server typically works better.  After
all you're not (and typicall SHOULD NOT be) requesting client certs.
Just make sure your cert file contains a complete chain, not just
the leaf certificate.


smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s


Looks fine.  The last setting is unnecessary.

--
Viktor.



- End message from Viktor Dukhovni <postfix-us...@dukhovni.org> -

Putting all of this advice and learning together with other reading,  
and the CentOS7 distribution master.cf file, I have set the following  
on my NEW Postfix 2.10 / CentOS7 server. The config I had on the old  
CentOS5 server had restrictions all in recipient checks, so at the  
moment I have replicated that. I have noticed varying opinions on that.


The config all appears to work on internal network, but I can't test  
it fully (externally, open relay) until I redirect the port forwarding.


Objective is port 25 MTA only, 587 SASL auth over TLS only. I've  
enabled postscreen in monitor mode at the moment. I've added a blank  
set smtpd_relay_restrictions as per the comments on postfix.org about  
that being added in 2.10+ and having it blank enabling previous  
behaviour for smtpd_recipients_restrictions. I think I have that  
correct.


I'm hopeful that once I have postscreen enabled fully the amount of  
zombie knocking will decrease.


Thanks
Simon.


master.cf:

smtp  inet  n   -   n   -   1   postscreen
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
smtpd pass  -   -   n   -   -   smtpd
dnsblog   unix  -   -   n   -   0   dnsblog
tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

main.cf:

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
mua_client_restrictions =
mua_helo_restrictions =
mua_sender_restrictions =

smtpd_helo_required = yes
disable_

Re: SASL auth only on port 25

[Viktor Dukhovni]

> On Apr 27, 2017, at 12:21 PM, Michael Segel  wrote:
> 
> You raise a very valid point in some of your emails. 
> 
> There’s a lot of garbage “How To” when it comes to postfix and dovecot and 
> others… 
> 
> What are some good resources?  (e-books, blogs, etc …) 
> 
> What made my debugging difficult is that the last time I set up a postfix 
> server was 5+ years ago, and I don’t have a lot of free time or cycles to 
> relearn postfix.
> 
> Suggestions would be helpful. 

What's available are the somewhat dated (but still very useful) books,
http://www.postfix.org/documentation.html, and the list archives.
After reading either of the books, you can brush up on the newer
features in one of the postfix.org tutorials.

The most important things to peruse are:

  * http://www.postfix.org/ADDRESS_REWRITING_README.html
  * http://www.postfix.org/ADDRESS_CLASS_README.html
  * http://www.postfix.org/OVERVIEW.html
  * http://www.postfix.org/master.5.html

The top portion of http://www.postfix.org/postconf.5.html
covers general main.cf syntax.

After that, SASL_README, TLS_README, SOHO_README, ... cover
more focused topics.

Be especially weary of third-party HOWTOs that recommend fashionably
"strong" TLS settings.  These are most likely to be counterproductive.

-- 
Viktor.

Re: SASL auth only on port 25

[Simon Wilson]

- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> -
Date: Thu, 27 Apr 2017 12:00:22 -0400
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: Postfix users <postfix-users@postfix.org>
 Subject: Re: SASL auth only on port 25
  To: Postfix users <postfix-users@postfix.org>



On Apr 27, 2017, at 11:54 AM, Simon Wilson <si...@simonandkate.net> wrote:


 #  -o smtpd_client_restrictions=$mua_client_restrictions
   #  -o smtpd_helo_restrictions=$mua_helo_restrictions
   #  -o smtpd_sender_restrictions=$mua_sender_restrictions



I cannot find much about these variables - do these just set to  
what has already been loaded from those sections of main.cf, the  
idea being they can be appended to here?


The idea is that you can configure these "made up" parameter names  
in main.cf,

instead of bloating master.cf with complex settings.

If you don't define them, they'll default "empty", which is fine.

--
Viktor.



- End message from Viktor Dukhovni <postfix-us...@dukhovni.org> -

Got it. Thanks Viktor.

Simon

--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Viktor Dukhovni]

> On Apr 27, 2017, at 11:54 AM, Simon Wilson  wrote:
> 
>>  #  -o smtpd_client_restrictions=$mua_client_restrictions
>>#  -o smtpd_helo_restrictions=$mua_helo_restrictions
>>#  -o smtpd_sender_restrictions=$mua_sender_restrictions
>> 
>>>  
> I cannot find much about these variables - do these just set to what has 
> already been loaded from those sections of main.cf, the idea being they can 
> be appended to here?

The idea is that you can configure these "made up" parameter names in main.cf,
instead of bloating master.cf with complex settings.

If you don't define them, they'll default "empty", which is fine.

-- 
Viktor.

Re: SASL auth only on port 25

[Simon Wilson]

   #  -o smtpd_client_restrictions=$mua_client_restrictions
   #  -o smtpd_helo_restrictions=$mua_helo_restrictions
   #  -o smtpd_sender_restrictions=$mua_sender_restrictions


 


I cannot find much about these variables - do these just set to what  
has already been loaded from those sections of main.cf, the idea being  
they can be appended to here?


Simon.
 ___
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Simon Wilson]

- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> -
Date: Thu, 27 Apr 2017 15:07:02 +
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: postfix-users@postfix.org
 Subject: Re: SASL auth only on port 25
  To: postfix-users@postfix.org



On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:


1. At the moment when a bot knocks on the postfix server I see
postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
port 25 or 587?


Sufficiently new versions of the stock Postfix master.cf file have:

#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
# ...

You would use that, but I believe this requires Postfix 2.4 or
later, as in 2.3 the master.cf option overrides take place after
logging is already configured, and this setting has no effect.


2. Is my config correct for my desired outcome (below)?

extract from master.cf:

# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp  inet  n   -   n   -   -   smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no


Looks fine.



# submission port
submission inet n   -   n   -   -   smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject


In the stock Postfix 3.3-dev master.cf (commented out) submission
entry, we have:

#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Most of these are applicable to a large range of releases, likely
including what ships with your newer O/S.


smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem


An empty CAfile for the SMTP server typically works better.  After
all you're not (and typicall SHOULD NOT be) requesting client certs.
Just make sure your cert file contains a complete chain, not just
the leaf certificate.


smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s


Looks fine.  The last setting is unnecessary.

--
Viktor.



- End message from Viktor Dukhovni <postfix-us...@dukhovni.org> -

Lots of great information in there, thanks Viktor. Shame about the  
logfile entry only being in 2.4 and later, but I'm really only  
'fixing' this old box prior to going live on the new box and  
understanding what it does, so that will work fine on the new Postfix  
config.


Thanks all for responses.
Simon


--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Simon Wilson]

Port 25 is for MTA unauthenticated traffic, with optional TLS, and
587 requires TLS and sasl auth for MUA submission. The server is
functioning fine for mail submission on 587 and MTA function on port
25, but I am seeing saslauthd authentication failures in maillog e.g.:

Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from
unknown[45.123.221.70]
Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS
connection from unknown[45.123.221.70]
Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection
established from unknown[45.123.221.70]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for
simon/simonandkate.net: Bind to ldap server failed (invalid
user/password or insufficient access) (-7)
Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth
failure: [user=simon] [service=smtp] [realm=simonandkate.net]
[mech=ldap] [reason=Unknown]
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL
authentication failure: Password verification failed
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:
unknown[45.123.221.70]: SASL PLAIN authentication failed:
authentication failure




1. At the moment when a bot knocks on the postfix server I see
postfix/smtpd[pid] etc. in maillog: can that message show if the
knock is on port 25 or 587?


In master.cf submission entry:
 -o syslog_name=postfix/submission




Aha! Just what I needed... thanks Noel.


2. Is my config correct for my desired outcome (below)?


Looks OK, but the "Bind to ldap server failed" errors would seem to
be a config error in your saslauthd.


  -- Noel Jones


That's the knocker trying to auth as simon (not a bad guess given my  
domain name and email address, which is guaranteed to be out there on  
bot lists somewhere) and failing, so the saslauth fails. I assume so  
anyway... if I auth to 587 as me properly it all works fine and binds  
to LDAP no problems. testsaslauthd all works, and only auth'd users  
can submit mail.


Thanks.






I'm about to migrate mail to a new server with postfix on CentOS 7,
but I need to make sure I understand this better and have it right
before changing, not just blindly changing things.

Would appreciate some advice if anyone would see fit to comment.
Thanks
Simon.



extract from master.cf:

# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp  inet  n   -   n   -   -   smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no

# submission port
submission inet n   -   n   -   -   smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

extract from main.cf:

# Enable sasl auth.
# Master.cf sets this separately for 25 and 587, so commented out here
# smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s




- End message from Noel Jones  -



--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

[Viktor Dukhovni]

On Thu, Apr 27, 2017 at 09:56:39AM -0500, Noel Jones wrote:

> Looks OK, but the "Bind to ldap server failed" errors would seem to
> be a config error in your saslauthd.

Not necessarily.  One common method of varifying user passwords is
to attempt to "bind" to LDAP with the username and password in
question.

-- 
Viktor.

Re: SASL auth only on port 25

[Viktor Dukhovni]

On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:

> 1. At the moment when a bot knocks on the postfix server I see
> postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
> port 25 or 587?

Sufficiently new versions of the stock Postfix master.cf file have:

#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
# ...

You would use that, but I believe this requires Postfix 2.4 or
later, as in 2.3 the master.cf option overrides take place after
logging is already configured, and this setting has no effect.

> 2. Is my config correct for my desired outcome (below)?
> 
> extract from master.cf:
> 
> # std port for incoming port 25. No SASL auth allowed
> # smtpd_sasl_auth_enable=no is default, but left here for clarity
> smtp  inet  n   -   n   -   -   smtpd
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=no

Looks fine.

> 
> # submission port
> submission inet n   -   n   -   -   smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject

In the stock Postfix 3.3-dev master.cf (commented out) submission
entry, we have:

#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Most of these are applicable to a large range of releases, likely
including what ships with your newer O/S.

> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
> 
> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem

An empty CAfile for the SMTP server typically works better.  After
all you're not (and typicall SHOULD NOT be) requesting client certs.
Just make sure your cert file contains a complete chain, not just
the leaf certificate.

> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s

Looks fine.  The last setting is unnecessary.

-- 
Viktor.

Re: SASL auth only on port 25

[Noel Jones]

On 4/27/2017 8:51 AM, Simon Wilson wrote:

> Port 25 is for MTA unauthenticated traffic, with optional TLS, and
> 587 requires TLS and sasl auth for MUA submission. The server is
> functioning fine for mail submission on 587 and MTA function on port
> 25, but I am seeing saslauthd authentication failures in maillog e.g.:
> 
> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from
> unknown[45.123.221.70]
> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS
> connection from unknown[45.123.221.70]
> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection
> established from unknown[45.123.221.70]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for
> simon/simonandkate.net: Bind to ldap server failed (invalid
> user/password or insufficient access) (-7)
> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth
> failure: [user=simon] [service=smtp] [realm=simonandkate.net]
> [mech=ldap] [reason=Unknown]
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL
> authentication failure: Password verification failed
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:
> unknown[45.123.221.70]: SASL PLAIN authentication failed:
> authentication failure
> 

> 1. At the moment when a bot knocks on the postfix server I see
> postfix/smtpd[pid] etc. in maillog: can that message show if the
> knock is on port 25 or 587?

In master.cf submission entry:
 -o syslog_name=postfix/submission


> 2. Is my config correct for my desired outcome (below)?

Looks OK, but the "Bind to ldap server failed" errors would seem to
be a config error in your saslauthd.


  -- Noel Jones


> 
> I'm about to migrate mail to a new server with postfix on CentOS 7,
> but I need to make sure I understand this better and have it right
> before changing, not just blindly changing things.
> 
> Would appreciate some advice if anyone would see fit to comment.
> Thanks
> Simon.
> 
> 
> 
> extract from master.cf:
> 
> # std port for incoming port 25. No SASL auth allowed
> # smtpd_sasl_auth_enable=no is default, but left here for clarity
> smtp  inet  n   -   n   -   -   smtpd
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=no
> 
> # submission port
> submission inet n   -   n   -   -   smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 
> extract from main.cf:
> 
> # Enable sasl auth.
> # Master.cf sets this separately for 25 and 587, so commented out here
> # smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
> 
> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
> 
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
> 

Re: SASL auth only on port 25

[Michael Segel]

I’d upgrade the version of Centos 5 is kind of old. 


> On Apr 27, 2017, at 8:51 AM, Simon Wilson  wrote:
> 
> Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail 
> server as I get quite a few hits on the open ports from bot nets trying to 
> auth. Getting ready to migrate off it - more on that later.
> 
> Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 
> requires TLS and sasl auth for MUA submission. The server is functioning fine 
> for mail submission on 587 and MTA function on port 25, but I am seeing 
> saslauthd authentication failures in maillog e.g.:
> 
> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from 
> unknown[45.123.221.70]
> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from 
> unknown[45.123.221.70]
> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established 
> from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
> bits)
> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for 
> simon/simonandkate.net: Bind to ldap server failed (invalid user/password or 
> insufficient access) (-7)
> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth failure: 
> [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] 
> [reason=Unknown]
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication 
> failure: Password verification failed
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: 
> unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication 
> failure
> 
> and I don't know if it's because they are knocking on 587, or still knocking 
> on port 25 and trying to auth because I have my port 25 config wrong... :-/
> 
> I have a couple of questions:
> 
> 1. At the moment when a bot knocks on the postfix server I see 
> postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on 
> port 25 or 587?
> 2. Is my config correct for my desired outcome (below)?
> 
> I'm about to migrate mail to a new server with postfix on CentOS 7, but I 
> need to make sure I understand this better and have it right before changing, 
> not just blindly changing things.
> 
> Would appreciate some advice if anyone would see fit to comment.
> Thanks
> Simon.
> 
> 
> 
> extract from master.cf:
> 
> # std port for incoming port 25. No SASL auth allowed
> # smtpd_sasl_auth_enable=no is default, but left here for clarity
> smtp  inet  n   -   n   -   -   smtpd
>-o smtpd_tls_security_level=may
>-o smtpd_sasl_auth_enable=no
> 
> # submission port
> submission inet n   -   n   -   -   smtpd
>-o smtpd_tls_security_level=encrypt
>-o smtpd_sasl_auth_enable=yes
>-o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 
> extract from main.cf:
> 
> # Enable sasl auth.
> # Master.cf sets this separately for 25 and 587, so commented out here
> # smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
> 
> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
> 
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
> 
> -- 
> Simon Wilson
> M: 0400 12 11 16
> 

SASL auth only on port 25

[Simon Wilson]

Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS  
5) mail server as I get quite a few hits on the open ports from bot  
nets trying to auth. Getting ready to migrate off it - more on that  
later.


Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587  
requires TLS and sasl auth for MUA submission. The server is  
functioning fine for mail submission on 587 and MTA function on port  
25, but I am seeing saslauthd authentication failures in maillog e.g.:


Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from  
unknown[45.123.221.70]
Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS  
connection from unknown[45.123.221.70]
Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection  
established from unknown[45.123.221.70]: TLSv1 with cipher  
DHE-RSA-AES256-SHA (256/256 bits)
Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for  
simon/simonandkate.net: Bind to ldap server failed (invalid  
user/password or insufficient access) (-7)
Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth  
failure: [user=simon] [service=smtp] [realm=simonandkate.net]  
[mech=ldap] [reason=Unknown]
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL  
authentication failure: Password verification failed
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:  
unknown[45.123.221.70]: SASL PLAIN authentication failed:  
authentication failure


and I don't know if it's because they are knocking on 587, or still  
knocking on port 25 and trying to auth because I have my port 25  
config wrong... :-/


I have a couple of questions:

1. At the moment when a bot knocks on the postfix server I see  
postfix/smtpd[pid] etc. in maillog: can that message show if the knock  
is on port 25 or 587?

2. Is my config correct for my desired outcome (below)?

I'm about to migrate mail to a new server with postfix on CentOS 7,  
but I need to make sure I understand this better and have it right  
before changing, not just blindly changing things.


Would appreciate some advice if anyone would see fit to comment.
Thanks
Simon.



extract from master.cf:

# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp  inet  n   -   n   -   -   smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no

# submission port
submission inet n   -   n   -   -   smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

extract from main.cf:

# Enable sasl auth.
# Master.cf sets this separately for 25 and 587, so commented out here
# smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s

--
Simon Wilson
M: 0400 12 11 16