Allow unauth for some users on port 465

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Allow unauth for some users on port 465

Mark Constable
Hi, I have a fairly typical postfix install with port 465 requiring
authentication. I'd like to allow one sender (email address or IP) to
inject email on port 465 without providing login/password authentication.

Is this somehow possible?
Reply | Threaded
Open this post in threaded view
|

Re: Allow unauth for some users on port 465

Viktor Dukhovni
On Fri, Feb 12, 2021 at 02:54:29PM +1000, Mark Constable wrote:

> Hi, I have a fairly typical postfix install with port 465 requiring
> authentication. I'd like to allow one sender (email address or IP) to
> inject email on port 465 without providing login/password authentication.

Permitting email relaying by sender address is not safe, the
address is trivially forged, and if you do this, your system
may with some probability be eventually abused by spammers,
ruining its IP reputation.  DO NOT enable relay control by
sender address.

> Is this somehow possible?

Permitting relaying by IP (known to be under the exclusive control of a
trusted peer) is normal (default) behaviour in Postfix.  What is
"somehow possible" (not default behaviour) is limiting access just to
SASL authenticated users.

The port number and TLS encryption are irrelevant here, all that
matters, is that "restrictions" you configure for the SMTP service
in question.

The stock Postfix master.cf file contains (commented out):

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

If yours uncommented, but otherwise similar, it may be sufficient to
change:

    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

to:

    -o smtpd_relay_restrictions=$mua_relay_restrictions

and then in main.cf:

    cidr = cidr:${config_directory}/
    mua_relay_restrictions =
        permit_sasl_authenticated,
        check_client_access ${cidr}mua-client.cidr
        reject

and in mua-client.cidr:

    192.0.2.1/32    OK

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Allow unauth for some users on port 465

Mark Constable
On 12/2/21 3:14 pm, Viktor Dukhovni wrote:
>> Hi, I have a fairly typical postfix install with port 465 requiring
>> authentication. I'd like to allow one sender (email address or IP) to
>> inject email on port 465 without providing login/password authentication.
>
> The port number and TLS encryption are irrelevant here, all that
> matters, is that "restrictions" you configure for the SMTP service
> in question. [...]

Thank you Viktor. A week of agonizing google searches and testing came down
to something so simple. I actually put all this in main.cf to accept unauth
messages from a nominated remote postfix server...

smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
mua_relay_restrictions = permit_sasl_authenticated
     check_client_access cidr:/etc/postfix/mua-client.cidr reject
smtpd_relay_restrictions = $mua_relay_restrictions

~ cat mua-client.cidr
12.34.56.78/32    OK

And then used this to push messages TO that server which has a reciprocal
setup...

transport_maps = lmdb:/etc/postfix/transport

~ cat transport
remote.domain smtp:[78.56.34.12]:465

The reason for wanting this setup is that I've started using delta.chat
with a few friends and I want to maximize the speed between our mailservers
and also try to minimize the size of the messages to sometimes <1500 bytes.

FWIW disabling DKIM seems to make the biggest difference...

~ grep DontSignMailTo /etc/opendkim.conf
DontSignMailTo          [hidden email], [hidden email]

and why not SPF while we're at it...

~ cat sender_checks (.lmdb)
remote.domain OK

Is there any other magic I could use in this peer-to-peer scenario to reduce
the number of unnecessary headers during transit on a per domain basis?
Reply | Threaded
Open this post in threaded view
|

Re: Allow unauth for some users on port 465

Viktor Dukhovni
On Fri, Feb 12, 2021 at 09:13:58PM +1000, Mark Constable wrote:

> The reason for wanting this setup is that I've started using delta.chat
> with a few friends and I want to maximize the speed between our mailservers
> and also try to minimize the size of the messages to sometimes <1500 bytes.

Message content is sent via TCP as a series of back to back packets, and
so long as the TCP window is wide enough to accomodate the bandwidth*delay
product, there is no reason to try to squeeze the message into a single
IP packet.  Latency is not improved.

> FWIW disabling DKIM seems to make the biggest difference...

Disabling DKIM checks eliminates DNS lookups for the requisite keys.

> and why not SPF while we're at it...

Also eliminates DNS lookups.

> Is there any other magic I could use in this peer-to-peer scenario to reduce
> the number of unnecessary headers during transit on a per domain basis?

Waste of time.  The cost of a few additioanl headers is irrelevant.  Pay
attention to network round-trips, not payload sizes.

--
    Viktor.