Can postfix send encrypted but not authenticated emails ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Can postfix send encrypted but not authenticated emails ?

Fazzina, Angelo

Hi, I have been reading the online docs for  TLS_README.html and SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to accept email over port 587 without giving Postfix a username and password ?

 

My current understanding of how my server deals with mail is traffic on port 25 with no username and password needed is only allowed from on-campus, and traffic on ports 465 and 587 is allowed when you provide a username and password, and postfix encrypts the email.

 

I would like to change it so postfix will accept email without a username and password, specifically from Office 365, and with encryption [TLS].

I would add that I am not looking to change the current config, but just add this new ability.

 

Is it as simple as adding                   smtpd_tls_security_level = may   into main.cf ?

 

 

I also heard Postfix can use maybe Kerberos tickets or certs and keys to allow Office 365 emails to be accepted by my postfix server, anyone know where in the docs that is ?  [BTW our MX goes to O365 and forwards mail it can not deliver to our Postfix server]

 

Example :  email to [hidden email] goes to O365 and then O365 will forward to smtp.uconn.edu [which relays back to O365] due to my mailbox being [hidden email] . If you send directly to [hidden email] O365 delivers to mailbox without having to forward the email.

 

Thank you for any guidance you guys have.

 

My postconf –n is below

 

[root@uconnMTA5 postfix]# postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

anvil_rate_time_unit = 60s

anvil_status_update_time = 600s

append_dot_mydomain = no

biff = no

canonical_maps = regexp:/etc/postfix/maps/voip

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debug_peer_list = 137.99.26.249

fast_flush_domains = $relay_domains, uits.uconn.edu, gapps.uconn.edu

header_checks = regexp:/etc/postfix/header_checks

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mail_owner = postfix

mailbox_size_limit = 0

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

message_size_limit = 31457280

mydestination = uconnsmtp.cloudapp.net uconnmta5.cloudapp.net, localhost.uits.uconn.edu, localhost, invalid.uconn.edu

myhostname = uconnmta5.cloudapp.net

mynetworks = /etc/postfix/files/mynetwork

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

recipient_delimiter = +

sample_directory = /usr/share/doc/postfix-2.6.6/samples

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_client_connection_count_limit = 500

smtpd_client_connection_rate_limit = 500

smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}

smtpd_client_message_rate_limit = 500

smtpd_client_new_tls_session_rate_limit = 500

smtpd_client_recipient_rate_limit = 500

smtpd_client_restrictions = check_client_access hash:/etc/postfix/maps/block_ip, permit

smtpd_hard_error_limit = 100

smtpd_junk_command_limit = 3000

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_tls_CAfile = /etc/pki/tls/certs/smtp_uconn_edu_2017_interm_root.cer

smtpd_tls_cert_file = /etc/pki/tls/certs/smtp_uconn_edu_x509_cert.cer

smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL

smtpd_tls_key_file = /etc/pki/tls/private/smtp_uconn_key.key

smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2

smtpd_use_tls = yes

transport_maps = hash:/etc/postfix/maps/transport

virtual_alias_domains = access.ced.uconn.edu appmail.uconn.edu eri.uconn.edu finearts.sfa.uconn.edu law.uconn.edu math.uconn.edu ropercenter.uconn.edu studentorgs.uconn.edu students.law.uconn.edu testexchange.uconn.edu uconn.edu huskymail.uconn.edu spamtest.uconn.edu lib.uconn.edu

virtual_alias_maps = hash:/etc/postfix/virtual mysql:/etc/postfix/files/mysql_pn.cf  regexp:/etc/postfix/maps/huskygroups regexp:/etc/postfix/maps/subaddressing

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|

Re: Can postfix send encrypted but not authenticated emails ?

Viktor Dukhovni


> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> Hi, I have been reading the online docs for  TLS_README.html and SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to accept email over port 587 without giving Postfix a username and password?

The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA.  While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.

Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.

> I would like to change it so postfix will accept email without a username and password, specifically from Office 365, and with encryption [TLS].

If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.

  http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination
  http://www.postfix.org/VIRTUAL_README.html#canonical

> I would add that I am not looking to change the current config, but just add this new ability.
>  
> Is it as simple as adding
>
>                   smtpd_tls_security_level = may
>
> into main.cf ?

To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.

        http://www.postfix.org/TLS_README.html#quick-start
 
> I also heard Postfix can use maybe Kerberos tickets

Cross-organizational Kerberos is not common.  And not needed in your
use case of relaying between MTAs.  Kerberos can be used as a SASL
mechanism on port 587 between the MUA and the submission service.
This message's first hop is GSSAPI (specifically Kerberos) authenticated.
 
> Example :  email to [hidden email] goes to O365 and then O365 will forward to smtp.uconn.edu [which relays back to O365] due to my mailbox being [hidden email] . If you send directly to [hidden email] O365 delivers to mailbox without having to forward the email.

This is multi-hop relaying on the inbound phase of message delivery, and
requires nothing fancy, just some address rewriting and routing.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: Can postfix send encrypted but not authenticated emails ?

Fazzina, Angelo
Hi, thank you Viktor.

I was able to replicate the error [ a deferral] from O365

450 4.4.317 cannot connect to remote server message= 451 5.7.3 STARTTLS is required to send mail

My server 137.99.25.233 on port 25 is not accepting the mail.

I can not control what O365 does, they send on port 25, and I can't find my settings that are blocking it?

Even stranger my identical servers in Azure will accept the mail ?  just trying to understand the differences to ID the problem.

Confused why this works :
[root@mta2 postfix]# telnet azuresmtp.uconn.edu 25
Trying 104.45.142.253...
Connected to azuresmtp.uconn.edu.
Escape character is '^]'.
220 uconnmta6.cloudapp.net ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-uconnmta6.cloudapp.net
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye

And why this does not ?
[root@uconnMTA5 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
telnet: connect to address 137.99.25.233: Connection timed out


Am I on the right track noticing there is no 250-STARTTLS ?
[root@mta2 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
Connected to 137.99.25.233.
Escape character is '^]'.
220 mta3.uits.uconn.edu ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-mta3.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Thursday, June 28, 2018 1:05 PM
To: Postfix users <[hidden email]>
Subject: Re: Can postfix send encrypted but not authenticated emails ?



> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> Hi, I have been reading the online docs for  TLS_README.html and SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to accept email over port 587 without giving Postfix a username and password?

The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA.  While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.

Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.

> I would like to change it so postfix will accept email without a username and password, specifically from Office 365, and with encryption [TLS].

If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.

  https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FBASIC_CONFIGURATION_README.html%23mydestination&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844&amp;sdata=pRznQ7f3nztX9VLEkNcu0otSkqdVKNKTAfkAPqmBO3Y%3D&amp;reserved=0
  https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FVIRTUAL_README.html%23canonical&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844&amp;sdata=VfZDH5y%2BaHj1Qhtdt87n3ato8oPDixD%2BbEFUuogter0%3D&amp;reserved=0

> I would add that I am not looking to change the current config, but just add this new ability.
>  
> Is it as simple as adding
>
>                   smtpd_tls_security_level = may
>
> into main.cf ?

To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.

        https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FTLS_README.html%23quick-start&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504757098&amp;sdata=wowhYgr5ogYqjpQx%2Fwf6d1E8yoOVInQLGH78OJOixMY%3D&amp;reserved=0
 
> I also heard Postfix can use maybe Kerberos tickets

Cross-organizational Kerberos is not common.  And not needed in your
use case of relaying between MTAs.  Kerberos can be used as a SASL
mechanism on port 587 between the MUA and the submission service.
This message's first hop is GSSAPI (specifically Kerberos) authenticated.
 
> Example :  email to [hidden email] goes to O365 and then O365 will forward to smtp.uconn.edu [which relays back to O365] due to my mailbox being [hidden email] . If you send directly to [hidden email] O365 delivers to mailbox without having to forward the email.

This is multi-hop relaying on the inbound phase of message delivery, and
requires nothing fancy, just some address rewriting and routing.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Can postfix send encrypted but not authenticated emails ?

Matus UHLAR - fantomas
In reply to this post by Fazzina, Angelo
On 28.06.18 16:41, Fazzina, Angelo wrote:
> Hi, I have been reading the online docs for  TLS_README.html and
> SASL_README.html but still having trouble deducing if I can get Postfix
> 2.6 to accept email over port 587 without giving Postfix a username and
> password ?

you can, but better don't do that. spammers WILL abuse it.

> My current understanding of how my server deals with mail is traffic on
> port 25 with no username and password needed is only allowed from
> on-campus

apparently because your server accepts mail from your campus' IP addresses without
authentication. Quite common for backwards compatibility.

>, and traffic on ports 465 and 587 is allowed when you provide a
> username and password,

authentication on ports 465 and 587 is uaually required to avoid spam
sending through those ports.

> and postfix encrypts the email.

postfix does not encrypt mail, but connection to 465 and 587 usually must be
encrypted, as long as suthenticated with user and password.

>I would like to change it so postfix will accept email without a username
> and password, specifically from Office 365, and with encryption [TLS].

why?

> Example :  email to [hidden email] goes to O365 and then O365 will
> forward to smtp.uconn.edu [which relays back to O365] due to my mailbox
> being [hidden email] .  If you send directly to
> [hidden email] O365 delivers to mailbox without having to
> forward the email.

what is the point of this design/setup?
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Reply | Threaded
Open this post in threaded view
|

RE: Can postfix send encrypted but not authenticated emails ?

Fazzina, Angelo
Hi, the issue may be resolved, but thanks for the reply.
In answer to your questions:

The firewall is what allows the traffic on port 25 to even make it to the server, so are policy is tight enough to only allow who we want.

AFA as design, O365 can only handle one email address per person,  and we offer up to 5 aliases per person stored in a DB.
The design change we made was pointing our MX to O365 and not our spam filter appliances, but had to make sure all existing mail flow continued to work.

AFA why, It was the simplest solution among the options O365 allows.
As I mentioned already I think, the solution was adding the   250-STARTTLS to the "ehlo" command and then O365 was happy.

Thank you.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Matus UHLAR - fantomas
Sent: Friday, June 29, 2018 1:49 PM
To: [hidden email]
Subject: Re: Can postfix send encrypted but not authenticated emails ?

On 28.06.18 16:41, Fazzina, Angelo wrote:
> Hi, I have been reading the online docs for  TLS_README.html and
> SASL_README.html but still having trouble deducing if I can get Postfix
> 2.6 to accept email over port 587 without giving Postfix a username and
> password ?

you can, but better don't do that. spammers WILL abuse it.

> My current understanding of how my server deals with mail is traffic on
> port 25 with no username and password needed is only allowed from
> on-campus

apparently because your server accepts mail from your campus' IP addresses without
authentication. Quite common for backwards compatibility.

>, and traffic on ports 465 and 587 is allowed when you provide a
> username and password,

authentication on ports 465 and 587 is uaually required to avoid spam
sending through those ports.

> and postfix encrypts the email.

postfix does not encrypt mail, but connection to 465 and 587 usually must be
encrypted, as long as suthenticated with user and password.

>I would like to change it so postfix will accept email without a username
> and password, specifically from Office 365, and with encryption [TLS].

why?

> Example :  email to [hidden email] goes to O365 and then O365 will
> forward to smtp.uconn.edu [which relays back to O365] due to my mailbox
> being [hidden email] .  If you send directly to
> [hidden email] O365 delivers to mailbox without having to
> forward the email.

what is the point of this design/setup?
--
Matus UHLAR - fantomas, [hidden email] ; https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fantomas.sk%2F&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C85b9177640ce41e98c7b08d5dde8c33e%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658914137754552&amp;sdata=Krasiz%2FBkyqhS7OXWRsDNt6hk%2Bv4LSaYZS7ZQfUCTRc%3D&amp;reserved=0
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*