Disabling user submission on port 25

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling user submission on port 25

@lbutlr
OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.

What do I do to prevent users sending via port25?

--
>>Trying?
>if you quote yoda, i swear upon everything holy that i will book a  flight to
>okinawa to kick your ass.

Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

Noel Jones-2
On 8/26/2013 7:49 PM, LuKreme wrote:
> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
>
> What do I do to prevent users sending via port25?
>


Super easy...

# main.cf
smtpd_sasl_auth_enable = no

Your master.cf submission entry probably already includes
  -o smtpd_sasl_auth_enable=yes

If not, go ahead and add it to submission now so things don't break
unexpectedly later.

This won't prevent users from sending local mail to port 25, but
they won't be able to authenticate and won't be able to relay. This
usually isn't considered a problem, and changing it often causes
other issues.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

John Allen


On 26/08/2013 9:00 PM, Noel Jones wrote:

> On 8/26/2013 7:49 PM, LuKreme wrote:
>> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
>>
>> What do I do to prevent users sending via port25?
>>
>
>
> Super easy...
>
> # main.cf
> smtpd_sasl_auth_enable = no
>
> Your master.cf submission entry probably already includes
>    -o smtpd_sasl_auth_enable=yes
>
> If not, go ahead and add it to submission now so things don't break
> unexpectedly later.
>
> This won't prevent users from sending local mail to port 25, but
> they won't be able to authenticate and won't be able to relay. This
> usually isn't considered a problem, and changing it often causes
> other issues.
>
>
>    -- Noel Jones
>
I based it something that Noel Jones wrote way back in 2008.

Create a file of the networks you wish to deny access to eg.
“Deny_Mynetworks_Access” the content of which will be the same networks
as those found in the mynetworks parameter of the main.cf file for example:

192.168.0.0/16             REJECT local access not permitted
n.n.n.n/28                     REJECT local access not permitted
[nnnn:nnnn:nnnn::]/64 REJECT local access not permitted


remove the permit_mynetworks from all the various
smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
adding
    -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
to the smtp service, and add
    -o smtpd_client_restrictions=permit_mynetworks,.....
to the submission service.

This should deny access to the smtp port (25) from the local networks
while allowing access to the submission port (587).





Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

@lbutlr
In reply to this post by Noel Jones-2

On 26 Aug 2013, at 19:00 , Noel Jones <[hidden email]> wrote:

> # main.cf
> smtpd_sasl_auth_enable = no

Oh, right, of course.

(I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine).

--
NOBODY LIKES SUNBURN SLAPPERS Bart chalkboard Ep. 7F23

Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

@lbutlr
In reply to this post by John Allen

On 26 Aug 2013, at 21:24 , John Allen <[hidden email]> wrote:

> remove the permit_mynetworks from all the various smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by adding
>   -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
> to the smtp service, and add
>   -o smtpd_client_restrictions=permit_mynetworks,.....
> to the submission service.
>
> This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587).

That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can see there are situations where it would be a good idea.

--
"If I were willing to change my morals for convenience or financial
gain, we wouldn't be arguing, because I'd already *be* a Republican."
-- Wil Shipley

Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

Stan Hoeppner
In reply to this post by John Allen
On 8/26/2013 10:24 PM, John Allen wrote:

> I based it something that Noel Jones wrote way back in 2008.

I doubt that Noel suggested anything like this.

> Create a file of the networks you wish to deny access to eg.
> “Deny_Mynetworks_Access” the content of which will be the same networks
> as those found in the mynetworks parameter of the main.cf file for example:
>
> 192.168.0.0/16             REJECT local access not permitted
> n.n.n.n/28                     REJECT local access not permitted
> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
>
> remove the permit_mynetworks from all the various
> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
> adding
>    -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
> to the smtp service, and add
>    -o smtpd_client_restrictions=permit_mynetworks,.....
> to the submission service.

This unnecessary and complex and actually won't work as stated.  All
that is required is a one line change to master.cf and a CIDR file:

/etc/postfix/master.cf
...
smtp      inet  n       -       -       -       20      smtpd
        -o smtpd_client_restrictions=check_client_access,\
           cidr:/etc/postfix/deny-local.cidr

/etc/postfix/deny-local.cidr
192.168.0.0/16             REJECT local access not permitted


Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
<gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
access not permitted; from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<[192.168.100.53]>


--
Stan

Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

btb-2
In reply to this post by @lbutlr
On 2013.08.27 00.32, LuKreme wrote:

> That seem like a bit much. I allow the web-server (which hosts the
> webmail) in mynetworks, since users mailing from there are already
> authenticated. I can see there are situations where it would be a
> good idea.

web mail users should perform proper smtp authentication, just like they
would if they used any other client software.  among numerous benefits,
it allows for easier auditing.

-ben
Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

John Allen
In reply to this post by Stan Hoeppner
> On 8/26/2013 10:24 PM, John Allen wrote:
>
>> I based it something that Noel Jones wrote way back in 2008.
> I doubt that Noel suggested anything like this.
>
>> Create a file of the networks you wish to deny access to eg.
>> “Deny_Mynetworks_Access” the content of which will be the same networks
>> as those found in the mynetworks parameter of the main.cf file for example:
>>
>> 192.168.0.0/16             REJECT local access not permitted
>> n.n.n.n/28                     REJECT local access not permitted
>> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
>>
>> remove the permit_mynetworks from all the various
>> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
>> adding
>>     -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
>> to the smtp service, and add
>>     -o smtpd_client_restrictions=permit_mynetworks,.....
>> to the submission service.
> This unnecessary and complex and actually won't work as stated.  All
> that is required is a one line change to master.cf and a CIDR file:
>
> /etc/postfix/master.cf
> ...
> smtp      inet  n       -       -       -       20      smtpd
> -o smtpd_client_restrictions=check_client_access,\
>   cidr:/etc/postfix/deny-local.cidr
>
> /etc/postfix/deny-local.cidr
> 192.168.0.0/16             REJECT local access not permitted
>
>
> Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
> gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
> <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
> access not permitted; from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<[192.168.100.53]>
>
Much simpler and far much more elegant.
Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

Noel Jones-2
On 8/27/2013 11:36 AM, John Allen wrote:
>> On 8/26/2013 10:24 PM, John Allen wrote:
>>
>>> I based it something that Noel Jones wrote way back in 2008.
>> I doubt that Noel suggested anything like this.

2008 was a long time ago, possibly I've learned a thing or two since
then. Regardless, I think this was in response to a very specific
requirement not particularly related to the current issue.

Apparently whatever I told him worked, glad to be of help.

  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

Jeroen Geilman
In reply to this post by John Allen
On 08/27/2013 05:24 AM, John Allen wrote:

>
>
> On 26/08/2013 9:00 PM, Noel Jones wrote:
>> On 8/26/2013 7:49 PM, LuKreme wrote:
>>> OK, now that port 587 is working, I would like to disable user
>>> submission via port 25. Not right now, but in a bit once people have
>>> a chance to change their settings.
>>>
>>> What do I do to prevent users sending via port25?
>>>
>>
>>
>> Super easy...
>>
>> # main.cf
>> smtpd_sasl_auth_enable = no
>>
>> Your master.cf submission entry probably already includes
>>    -o smtpd_sasl_auth_enable=yes
>>
>> If not, go ahead and add it to submission now so things don't break
>> unexpectedly later.
>>
>> This won't prevent users from sending local mail to port 25, but
>> they won't be able to authenticate and won't be able to relay. This
>> usually isn't considered a problem, and changing it often causes
>> other issues.
>>
>>
>>    -- Noel Jones
>>
> I based it something that Noel Jones wrote way back in 2008.
>
> Create a file of the networks you wish to deny access to eg.
> “Deny_Mynetworks_Access” the content of which will be the same
> networks as those found in the mynetworks parameter of the main.cf
> file for example:

This is entirely unnecessary, since moving reject_unauth_destination in
front of permit_mynetworks takes care of that.
Everything after reject_unauth_destination is impervious to relay
attempts, because it explicitly blocks all such attempts.
Yes, relay_domains would be an exception to this - but think why domains
are in relay_domains to begin with.

>
> This should deny access to the smtp port (25) from the local networks
> while allowing access to the submission port (587).

So what you're saying is basically "to deny access from the networks in
mynetworks, do this complicated thing" ?

A simpler way to do that would be to not put these networks in mynetworks.

--
J.

Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

@lbutlr
On 27 Aug 2013, at 16:09 , Jeroen Geilman <[hidden email]> wrote:
> A simpler way to do that would be to not put these networks in mynetworks.

Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

--
Space Directive 723: Terraformers are expressly forbidden from
recreating Swindon.

Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

John Allen
In reply to this post by Jeroen Geilman
On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

> On 08/27/2013 05:24 AM, John Allen wrote:
>>
>>
>> On 26/08/2013 9:00 PM, Noel Jones wrote:
>>> On 8/26/2013 7:49 PM, LuKreme wrote:
>>>> OK, now that port 587 is working, I would like to disable user
>>>> submission via port 25. Not right now, but in a bit once people
>>>> have a chance to change their settings.
>>>>
>>>> What do I do to prevent users sending via port25?
>>>>
>>>
>>>
>>> Super easy...
>>>
>>> # main.cf
>>> smtpd_sasl_auth_enable = no
>>>
>>> Your master.cf submission entry probably already includes
>>>    -o smtpd_sasl_auth_enable=yes
>>>
>>> If not, go ahead and add it to submission now so things don't break
>>> unexpectedly later.
>>>
>>> This won't prevent users from sending local mail to port 25, but
>>> they won't be able to authenticate and won't be able to relay. This
>>> usually isn't considered a problem, and changing it often causes
>>> other issues.
>>>
>>>
>>>    -- Noel Jones
>>>
>> I based it something that Noel Jones wrote way back in 2008.
>>
>> Create a file of the networks you wish to deny access to eg.
>> “Deny_Mynetworks_Access” the content of which will be the same
>> networks as those found in the mynetworks parameter of the main.cf
>> file for example:
>
> This is entirely unnecessary, since moving reject_unauth_destination
> in front of permit_mynetworks takes care of that.
> Everything after reject_unauth_destination is impervious to relay
> attempts, because it explicitly blocks all such attempts.
> Yes, relay_domains would be an exception to this - but think why
> domains are in relay_domains to begin with.
>
>>
>> This should deny access to the smtp port (25) from the local networks
>> while allowing access to the submission port (587).
>
> So what you're saying is basically "to deny access from the networks
> in mynetworks, do this complicated thing" ?
>
> A simpler way to do that would be to not put these networks in
> mynetworks.
>
If I remember correctly the question was how do I stop local users using
port 25, while allowing them to access port 587. I felt that the
restriction should be applied to SMTP and not to SUBMISSION.
I agree that my solution is not very good and I think that Stan
Hoeppner's response is a much more elegant solution than mine.
Reply | Threaded
Open this post in threaded view
|

Re: Disabling user submission on port 25

Stan Hoeppner
On 8/27/2013 6:34 PM, John Allen wrote:
> On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

>> A simpler way to do that would be to not put these networks in
>> mynetworks.
>>
> If I remember correctly the question was how do I stop local users using
> port 25, while allowing them to access port 587. I felt that the
> restriction should be applied to SMTP and not to SUBMISSION.
> I agree that my solution is not very good and I think that Stan
> Hoeppner's response is a much more elegant solution than mine.

To be clear, I wasn't offering a solution to the OP's  requirement, but
simply cleaning up and optimizing your approach into something that
would actually work.

Jeroen offered the solution.

--
Stan