Anyone solely using SMTP Auth for outbound mail?

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Anyone solely using SMTP Auth for outbound mail?

list@airstreamcomm.net
We are an ISP of about 60,000 customers, and in the past our systems were
setup to allow networks from mynetworks (a large number of IPs) as well as
a lookup table that allows users who have previously popped the server to
relay mail.  We recently added SMTP Auth capability, and are seriously
considering moving solely to SMTP Auth for access to our outbound mail
system.  Our reasoning is that compromised computers on our allowed
networks are free to send all the spam they want and we really don't have a
good way to track what users are sending the spam.  We do have outbound
email filtering, so the spam doesn't leave the network.  Another reason for
wanting to drop mynetworks and pop before smtp is simplification of our
systems.  Keeping up with the IPs in mynetworks is a hassle, and the pop
before smtp seems redundant when you think these customers could be
authenticating with SMTP Auth.  The best feature of SMTP Auth in our
opinion is that it leaves an audit trail of who is sending email, in what
quantity, and where they are connecting from, which allows us to track
spammers more effectively.

To summarize, we think SMTP Auth is the simplest and most useful way to
allow people to send mail through our outbound mail system, and we are
hoping to get some feedback from the community regarding this perspective.

Thanks.

Reply | Threaded
Open this post in threaded view
|

RE: Anyone solely using SMTP Auth for outbound mail?

Gary Smith-20
> To summarize, we think SMTP Auth is the simplest and most useful way to
> allow people to send mail through our outbound mail system, and we are
> hoping to get some feedback from the community regarding this
> perspective.

Yes and No. for 99% of our client base, we use SMTP auth. We have a couple enterprise class customers that we relay for that have a very defined IP set, which we use an exception file for (as they have their own user/logins on their side).

I could probably go 100% without any critical impact.

We have/had some software in place that would collect stats on outgoing rates per login and throttle/disable the account if it exceeded a particular limit, which means simply disabling the SMTP AUTH for that single account.

I'd recommend it myself.
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

Stan Hoeppner
In reply to this post by list@airstreamcomm.net
On 7/15/2011 3:15 PM, [hidden email] wrote:

> To summarize, we think SMTP Auth is the simplest and most useful way to
> allow people to send mail through our outbound mail system, and we are
> hoping to get some feedback from the community regarding this perspective.

If I understand your architecture correctly, doing this won't stop bot
infected PCs from sending spam as that is almost always direct to MX.
Preventing customers, at the router/firewall(s) from making direct
outbound connection to remote TCP 25, and forcing them to relay through
your auth server, is what stops the bot spam.

For customers intentionally sending spam either newbies spamming from
Outlook Express to customers with full up snowshoe servers, forcing SMTP
AUTH may prove advantageous, for the reasons you stated.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

mouss-4
In reply to this post by list@airstreamcomm.net
Le 15/07/2011 22:15, [hidden email] a écrit :

> We are an ISP of about 60,000 customers, and in the past our systems were
> setup to allow networks from mynetworks (a large number of IPs) as well as
> a lookup table that allows users who have previously popped the server to
> relay mail.  We recently added SMTP Auth capability, and are seriously
> considering moving solely to SMTP Auth for access to our outbound mail
> system.  Our reasoning is that compromised computers on our allowed
> networks are free to send all the spam they want and we really don't have a
> good way to track what users are sending the spam.  We do have outbound
> email filtering, so the spam doesn't leave the network.  Another reason for
> wanting to drop mynetworks and pop before smtp is simplification of our
> systems.  Keeping up with the IPs in mynetworks is a hassle, and the pop
> before smtp seems redundant when you think these customers could be
> authenticating with SMTP Auth.  The best feature of SMTP Auth in our
> opinion is that it leaves an audit trail of who is sending email, in what
> quantity, and where they are connecting from, which allows us to track
> spammers more effectively.
>
> To summarize, we think SMTP Auth is the simplest and most useful way to
> allow people to send mail through our outbound mail system, and we are
> hoping to get some feedback from the community regarding this perspective.
>

The big issue here isn't technical. it's about the cost of support when
your customers call you because their old setup doesn't work anymore.

I'd recommend taking a smooth path:

- document your "future" setup, so that people can share it. after some
time, "everybody" will know about it. this should reduce your support
costs.
- make it easy for people to use the "future" setup. write clear
documentation, help pages, ... etc (actually, this is one thing that we
should all work on, because it is "common").
- enforce the new setup for new customers
- for other customers, send an email asking em to visit a link that
explains the "new" setup. give'em an incentive to accept the new behaviour.

back to tech stuff:

it would be good to move to port 587 (submission) with TLS and SASL. to
be nice with people using oldware, smtps should be supported as well.
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

Микаел Бак
In reply to this post by list@airstreamcomm.net
[hidden email] wrote:
>
> To summarize, we think SMTP Auth is the simplest and most useful way to
> allow people to send mail through our outbound mail system, and we are
> hoping to get some feedback from the community regarding this perspective.
>

Hi,
I think it's a good idea. Additionally I suggest you enforce the traffic
off port 25 and use the dedicated submission (586) for SMTP Auth and
STARTTLS. Some older SMTP clients will not support STARTTLS properly.
For them you can offer the same functionality on SMTPS (465) SSL/TLS.

This way you'll have incomming SMTP traffic on port 25 and all outgoing
on other, dedicated ports. Having separated them it is easier to
implement different restrictions for incoming and outgoing traffic
respectively.

HTH,
Mikael
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

graylion

 seconded, only that submission is 587 ;)


----------------original message-----------------
From: "Бак Микаел" [hidden email]
To: "Postfix users"
Date: Mon, 18 Jul 2011 12:59:05 +0200
-------------------------------------------------


> [hidden email] wrote:
>>
>> To summarize, we think SMTP Auth is the simplest and most useful way to
>> allow people to send mail through our outbound mail system, and we are
>> hoping to get some feedback from the community regarding this perspective.
>>
>
> Hi,
> I think it's a good idea. Additionally I suggest you enforce the traffic
> off port 25 and use the dedicated submission (586) for SMTP Auth and
> STARTTLS. Some older SMTP clients will not support STARTTLS properly.
> For them you can offer the same functionality on SMTPS (465) SSL/TLS.
>
> This way you'll have incomming SMTP traffic on port 25 and all outgoing
> on other, dedicated ports. Having separated them it is easier to
> implement different restrictions for incoming and outgoing traffic
> respectively.
>
> HTH,
> Mikael
>

--
-------------
Bernhard Rohrer Consulting
529 Howth Road
Dublin 5, Ireland

+353 87 7907 134

Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

Curtis Maurand

We use combination of POP/IMAP before SMTP or SMTP auth.

--C

Bernhard Rohrer wrote:
>
> seconded, only that submission is 587 ;)
>
>
> ----------------original message-----------------
>
From: "Бак Микаел" [hidden email]

> To: "Postfix users"
> Date: Mon, 18 Jul 2011 12:59:05 +0200
> -------------------------------------------------
>
>
>> [hidden email] wrote:
>>>
>>> To summarize, we think SMTP Auth is the simplest and most useful way to
>>> allow people to send mail through our outbound mail system, and we are
>>> hoping to get some feedback from the community regarding this
>>> perspective.
>>>
>>
>> Hi,
>> I think it's a good idea. Additionally I suggest you enforce the traffic
>> off port 25 and use the dedicated submission (586) for SMTP Auth and
>> STARTTLS. Some older SMTP clients will not support STARTTLS properly.
>> For them you can offer the same functionality on SMTPS (465) SSL/TLS.
>>
>> This way you'll have incomming SMTP traffic on port 25 and all outgoing
>> on other, dedicated ports. Having separated them it is easier to
>> implement different restrictions for incoming and outgoing traffic
>> respectively.
>>
>> HTH,
>> Mikael
>>
>
> --
> -------------
> Bernhard Rohrer Consulting
> 529 Howth Road
> Dublin 5, Ireland
>
> +353 87 7907 134
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

/dev/rob0
On Mon, Jul 18, 2011 at 09:20:12AM -0400, Curtis Maurand wrote:
> We use combination of POP/IMAP before SMTP or SMTP auth.

Since this thread was about best practices, let's not sully it with
dirty kludges. :) POP/IMAP-before-SMTP was an ugly workaround at
best. It's not always going to work with mail clients; there is no
standard for them to implement. It's also potentially weak and
exploitable.

SASL AUTH works. It's a real standard, so clients receive inband
feedback on whether or not they can relay. It can be secured. I can
understand not tearing down a working POP/IMAP-before-SMTP system,
but definitely do not recommend that any new site should implement
that kludge. Let it go away!
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

Søren Schrøder-2
I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's for our fixed IP customers

The backend is openldap/postfix/dovecot


--
Søren Schrøder.
Obey Gravity - It's the law !
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

mouss-4
Le 18/07/2011 19:40, Søren Schrøder a écrit :
> I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using
> postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's
> for our fixed IP customers
>
> The backend is openldap/postfix/dovecot
>
>

are you a (relatively) large ISP? if so, how did you move to the
submission part? I am not asking about the tech part, but about the
customer relationship part. your experience may be helpful to others.


Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

Michael Orlitzky-2
On 07/18/2011 06:35 PM, mouss wrote:

> Le 18/07/2011 19:40, Søren Schrøder a écrit :
>> I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using
>> postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's
>> for our fixed IP customers
>>
>> The backend is openldap/postfix/dovecot
>>
>>
>
> are you a (relatively) large ISP? if so, how did you move to the
> submission part? I am not asking about the tech part, but about the
> customer relationship part. your experience may be helpful to others.
>

Whenever you get a support call, mention that you have a new, faster,
server with more space and you're willing to upgrade them for free; all
they'll have to do is change a few settings.
Reply | Threaded
Open this post in threaded view
|

Re: Anyone solely using SMTP Auth for outbound mail?

Микаел Бак
In reply to this post by graylion
Bernhard Rohrer wrote:
>  
>  seconded, only that submission is 587 ;)
>

Yes, of course! Stupid me :-)
Reply | Threaded
Open this post in threaded view
|

Σχετ: Anyone solely using SMTP Auth for outbound mail?

Peter Tselios
In reply to this post by Michael Orlitzky-2
Well, since I plan to move into the Postfix wagon, from scratch, I want to learn more about the 587 port submission and the blockage of port 25 for that. What are the best practices on the matter? Are there any documents on that? Soren how do you implement it?
P.


Απο: Michael Orlitzky <[hidden email]>
Προς: [hidden email]
Στάλθηκε: 5:19 π.μ. Τρίτη, 19 Ιουλίου 2011
Θεμα: Re: Anyone solely using SMTP Auth for outbound mail?

On 07/18/2011 06:35 PM, mouss wrote:

> Le 18/07/2011 19:40, Søren Schrøder a écrit :
>> I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using
>> postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's
>> for our fixed IP customers
>>
>> The backend is openldap/postfix/dovecot
>>
>>
>
> are you a (relatively) large ISP? if so, how did you move to the
> submission part? I am not asking about the tech part, but about the
> customer relationship part. your experience may be helpful to others.
>

Whenever you get a support call, mention that you have a new, faster,
server with more space and you're willing to upgrade them for free; all
they'll have to do is change a few settings.


Reply | Threaded
Open this post in threaded view
|

Re: Σχετ: Anyone solely using SMTP Auth for outbound mail?

Jeroen Geilman
On 2011-07-20 22:15, Peter Tselios wrote:
Well, since I plan to move into the Postfix wagon, from scratch, I want to learn more about the 587 port submission and the blockage of port 25 for that. What are the best practices on the matter? Are there any documents on that? Soren how do you implement it?

See http://www.postfix.org/SASL_README.html#server_sasl to start with.
Also look at http://www.postfix.org/TLS_README.html#server_tls_auth because this seems to cause issues for many people when first setting up SASL.

As for submission, the stock master.cf has a commented-out example that works as is.
Blocking port 25 for submission is a different matter, but you can enforce (some of) it by adding reject_sender_login_mismatch to your smtpd_recipient_restrictions, BEFORE permit_mynetworks.
This does two things:
    1. it only allows SASL submission with the usernames and sender addresses specifically configured in smtpd_sender_login_maps, and
    2. it specifically *prohibits* submission with any of these usernames or sender addresses from UNauthenticated connections.

For reference:
        http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
        http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

This way, you can make it impossible for (local network) submissions over unauthenticated connections to use your configured local domain sender addresses (and you should reject any addresses not so configured, in any case).

Of course, if this is the only MTA for your local domain(s), and you're willing to enforce SASL on all your users, you can simply REJECT all senders in your local domain(s) on port 25.
However, that is an extreme measure and may run into issues with things like mailing lists etc.

-- 
J.
Reply | Threaded
Open this post in threaded view
|

Re: Σχετ: Anyone solely using SMTP Auth for outbound mail?

mouss-4
In reply to this post by Peter Tselios
Le 20/07/2011 22:15, Peter Tselios a écrit :
> Well, since I plan to move into the Postfix wagon, from scratch, I want to learn more about the 587 port submission and the blockage of port 25 for that. What are the best practices on the matter? Are there any documents on that? Soren how do you implement it?
> P.
>


The new standard recommends using port 587 (now called "submission") for
mail submission, instead of overloading port 25.

it is recommended that submission access requires authentication. thus
sasl (well, ip based auth is acceptable for some time if you can
guarantee that it's ok).

now, given the auth mechanisms that are supported by MUAs, the one that
works is PLAIN. in which case, TLS is receommended.
Reply | Threaded
Open this post in threaded view
|

Re: ????????: Anyone solely using SMTP Auth for outbound mail?

Ansgar Wiechers
On 2011-07-22 mouss wrote:

> Le 20/07/2011 22:15, Peter Tselios a écrit :
>> Well, since I plan to move into the Postfix wagon, from scratch, I
>> want to learn more about the 587 port submission and the blockage of
>> port 25 for that. What are the best practices on the matter? Are
>> there any documents on that? Soren how do you implement it?
>
> The new standard recommends using port 587 (now called "submission")
> for mail submission, instead of overloading port 25.
>
> it is recommended that submission access requires authentication.

Authentication is mandatory for mail submission, according to RFC4409.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

blocked mail

Sasa-8
In reply to this post by /dev/rob0
Hello,
on my mail server a few days pass through a lot of mails where the sender
does not belong to any my domain and also the recipient does not belong to
any of my domains.
This behavior is strange because I use for send email the SMTP
authentication, below log about mail:

http://pastebin.com/SDpVzMVx
http://pastebin.com/sUPdSFuH

My postfix configuration is:

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.com
myhostname = mail.mydomain.com
myorigin = $myhostname
relay_domains = $mydestination
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination,
check_client_access hash:/etc/postfix/client_whitelist, reject_rbl_client
bl.spamcop.net,  reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client
zen.spamhaus.org smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access

..how can I stop the transit of such mail ?
I can also set a limit to the number of emails that a user can send in 1
hour ?
Thanks.


-
 Salvatore.




Reply | Threaded
Open this post in threaded view
|

Re: blocked mail

/dev/rob0
Meta-issues first:
1. You hijacked an old thread here, posting about an unrelated
   matter. Bad form. Please open a NEW message in your MUA when you
   want to start a new thread.
2. The logs should be posted inline with your message, not as
   pastebin links.
3. See http://www.postfix.org/DEBUG_README.html#mail for list
   guidelines. This information was also provided in your list
   welcome message.

On Wed, Jul 27, 2011 at 12:02:48PM +0200, Salvatore wrote:
> on my mail server a few days pass through a lot of mails where the
> sender does not belong to any my domain and also the recipient does
> not belong to any of my domains.
> This behavior is strange because I use for send email the SMTP
> authentication, below log about mail:
>
> http://pastebin.com/SDpVzMVx
> http://pastebin.com/sUPdSFuH

These logs are useless. You need to show where the suspected spam
messages *arrived* -- you did not. "grep 5F8B52D8040" was not
adequate. It seems that 5F8B52D8040 was a post-filter reinjection.
Where did the pre-filter message 7AF7C26ADA0 come from?

Use a pager (like less(1)) and its search feature, not grep(1).

> My postfix configuration is:
>
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> mydomain = mydomain.com
> myhostname = mail.mydomain.com

Example.com (and .TLD for all gTLDs and many ccTLDs) exists for use
in examples. Do not use a real Internet name unless it is yours.

> myorigin = $myhostname
> relay_domains = $mydestination

This should be unset unless you are using relay_domains.
"relay_domains ="

> smtpd_recipient_restrictions = permit_sasl_authenticated,
> reject_unauth_destination, check_client_access
> hash:/etc/postfix/client_whitelist, reject_rbl_client
> bl.spamcop.net, reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rbl_client zen.spamhaus.org
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access

This does not look like complete "postconf -n", since the logs
indicated a probable content filter in place.

> ..how can I stop the transit of such mail ?

We can't answer that until you show us how it arrived.

> I can also set a limit to the number of emails that a user can send
> in 1 hour ?

Again, that depends. Another poster today is wanting to limit use of
sendmail(1) submission. If your users are submitting via SMTP, you
can choose among several external policy services which can do
throttling per sender. I believe postfwd and policyd each have this
feature.

If as I suspect, your system has malware or other such intrusion, a
policy service will not stop these. The most common successful attack
vectors are by means of bugs in poorly-coded PHP webware, or by brute
force SSH attack bots.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header