Questions about TLS, SASL and Awstats

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about TLS, SASL and Awstats

Jose Manuel Pozo Pozo
Good night,

I am a newbie and I have some questions about TLS, SASL and Awstats.
My scenario is

Exchange2003(mailbox) -> Postfix(relay) -> Internet

The Postfix's machine has Postfix+Postgrey+Amavisd+Spamassassin+ClamAV
and it works correctly. I have tried to config TLS, SASL and Awstats
for the reports but,

1) TLS works fine between Exchange2003 Server and Postfix Server, but
how do I know if with other Mail Servers Postfix has also used TLS?

Is TLS synchronous or asynchronous? I think it's working synchronous
but I am not sure. I think this because I have not installed any
certificated in the Exchange Server and only in the Postfix Server.

My TLS config,

# tls config
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

This is log,

Jun  3 22:08:10 relay postfix/smtpd[16070]: connect from
exchange.zubero.local[192.168.1.11]
Jun  3 22:08:10 relay postfix/smtpd[16070]: setting up TLS connection
from exchange.zubero.local[192.168.1.11]
Jun  3 22:08:10 relay postfix/smtpd[16070]: TLS connection established
from exchange.zubero.local[192.168.1.11]: TLSv1 with cipher RC4-MD5
(128/128 bits)
Jun  3 22:08:10 relay postfix/smtpd[16070]: D67DB5850A:
client=exchange.zubero.local[192.168.1.11]
Jun  3 22:08:10 relay postfix/cleanup[16071]: D67DB5850A:
message-id=<13379D50-9B6D-496A-BB92-4C0998FC97FF@mimectl>
Jun  3 22:08:10 relay postfix/smtpd[16070]: disconnect from
exchange.zubero.local[192.168.1.11]
Jun  3 22:08:10 relay postfix/qmgr[15960]: D67DB5850A:
from=<[hidden email]>, size=2261, nrcpt=1 (queue active)
Jun  3 22:08:11 relay postfix/smtpd[16074]: connect from
relay.zubero.eu[127.0.0.1]
Jun  3 22:08:11 relay postfix/smtpd[16074]: BBAD4585A0:
client=relay.zubero.eu[127.0.0.1]
Jun  3 22:08:11 relay postfix/cleanup[16071]: BBAD4585A0:
message-id=<13379D50-9B6D-496A-BB92-4C0998FC97FF@mimectl>
Jun  3 22:08:11 relay amavis[16055]: (16055-01) Passed CLEAN, MYNETS
LOCAL [192.168.1.11] <[hidden email]> -> <[hidden email]>, Message-ID:
<13379D50-9B6D-496A-BB92-4C0998FC97FF@mimectl>, mail_id: ydUUZuZH3TPe,
Hits: -0.073, size: 2260, queued_as: BBAD4585A0, 863 ms
Jun  3 22:08:11 relay postfix/smtp[16072]: D67DB5850A:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2,
delays=0.31/0.03/0.03/0.85, dsn=2.0.0, status=sent (250 2.0.0 Ok:
queued as BBAD4585A0)
Jun  3 22:08:11 relay postfix/smtpd[16074]: disconnect from
relay.zubero.eu[127.0.0.1]
Jun  3 22:08:11 relay postfix/qmgr[15960]: D67DB5850A: removed
Jun  3 22:08:11 relay postfix/qmgr[15960]: BBAD4585A0:
from=<[hidden email]>, size=2690, nrcpt=1 (queue active)
Jun  3 22:08:15 relay postfix/smtp[15962]: BBAD4585A0:
to=<[hidden email]>, relay=mx.ya.com[62.151.4.44]:25, delay=3.4,
delays=0.05/0/1.4/2, dsn=2.0.0, status=sent (250
ZYkg1Z00B5JPXw40000000 mail accepted for delivery)
Jun  3 22:08:15 relay postfix/qmgr[15960]: BBAD4585A0: removed


2) I have configured SASL and I have installed cyrus-sasl ( my distro
is CentOS 5). But I don't know if it's working because I do not see
anything in the logs. I have followed these steps

a) Create sasl_passwd with one user (if I wanted to include more
Exchange users, should I write all users?)

exchange.zubero.local      password:user(or user@domain?)

b) postmap sasl_passwd

c) And include this config in the main.cf

#SASL
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain = $myhostname
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd.db
smtpd_sender_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

Is It working SASL? I am very newbie and I don't know when Postfix
Server uses SASL against Exchange Server.


3) I would like to install Awstats but I can not find a howto for
Centos 5. Someone knows something about this? I would like a report
program for to study my Postfix ( use of RBL, Greylisting,
Spamassassin, virus and information on the use of my users mails sent,
received mails, etc, etc)


My postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
empty_address_recipient = MAILER-DAEMON
html_directory = no
invalid_hostname_reject_code = 554
local_recipient_maps = hash:/etc/postfix/exchange_recipients
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
multi_recipient_bounce_reject_code = 554
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = zubero.eu
myhostname = relay.zubero.eu
mynetworks = 192.168.1.11
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 554
queue_directory = /var/spool/postfix
queue_minfree = 120000000
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains_reject_code = 554
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,            reject_unauth_pipelining,
          permit_mynetworks,            permit_sasl_authenticated,
       reject_unauth_destination,            reject_rbl_client
zen.spamhaus.org,            reject_rbl_client bl.spamcop.net,
   check_policy_service inet:127.0.0.1:60000            permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transportList
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


My master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache  unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
### BEGIN AMAVISD-NEW CONFIG

smtp-amavis     unix -        -       n     -       2  smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n        -       n     -       -  smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
### END AMAVISD-NEW CONFIG

My /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login
log_level: 5

Thank you very much at all.  Greetings,
Reply | Threaded
Open this post in threaded view
|

Re: Questions about TLS, SASL and Awstats

Victor Duchovni
On Tue, Jun 03, 2008 at 11:54:38PM +0200, Jose Manuel Pozo Pozo wrote:

> 1) TLS works fine between Exchange2003 Server and Postfix Server, but
> how do I know if with other Mail Servers Postfix has also used TLS?

        For outgoing mail:

                smtp_tls_loglevel = 1

                # Postfix 2.3+ syntax, otherwise smtp_use_tls = yes
                smtp_tls_security_level = may

        For incoming mail:

                smtpd_tls_loglevel = 1
                smtpd_tls_received_header = yes

                # Postfix 2.3+ syntax, otherwise smtpd_use_tls = yes
                smtpd_tls_security_level = may

> Is TLS synchronous or asynchronous?

What does "asynchronous" mean in this context? TLS encrypts the
SMTP transmission channel after the initial EHLO handshake...

> I think it's working synchronous
> but I am not sure. I think this because I have not installed any
> certificated in the Exchange Server and only in the Postfix Server.

The SMTP client does not genereally need a private key or certificate.
What does this have to do with whether TLS is "sychronous"? Perhaps
you are thinking of some other distinction...

> smtp_use_tls = yes
> smtpd_use_tls = yes

Postfix 2.2 (and legacy TLS patch for earlier releases) syntax. If
running 2.3+ switch to the new "tls_security_level" syntax.

> smtp_tls_note_starttls_offer = yes

Not necessary unless you disable TLS by default.

> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes

Good.

> smtpd_tls_session_cache_timeout = 3600s

Not useful unless you use a cache database. Recomended location:

    btree:/var/lib/postfix/smtpd_scache

or with (2.5):

    btree:${data_directory}/smtpd_scache

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Questions about TLS, SASL and Awstats

Jose Manuel Pozo Pozo
2008/6/4 Victor Duchovni <[hidden email]>:

> On Tue, Jun 03, 2008 at 11:54:38PM +0200, Jose Manuel Pozo Pozo wrote:
>
>> 1) TLS works fine between Exchange2003 Server and Postfix Server, but
>> how do I know if with other Mail Servers Postfix has also used TLS?
>
>        For outgoing mail:
>
>                smtp_tls_loglevel = 1
>
>                # Postfix 2.3+ syntax, otherwise smtp_use_tls = yes
>                smtp_tls_security_level = may
>
>        For incoming mail:
>
>                smtpd_tls_loglevel = 1
>                smtpd_tls_received_header = yes
>
>                # Postfix 2.3+ syntax, otherwise smtpd_use_tls = yes
>                smtpd_tls_security_level = may
>
>> Is TLS synchronous or asynchronous?
>
> What does "asynchronous" mean in this context? TLS encrypts the
> SMTP transmission channel after the initial EHLO handshake...
>
>> I think it's working synchronous
>> but I am not sure. I think this because I have not installed any
>> certificated in the Exchange Server and only in the Postfix Server.
>
> The SMTP client does not genereally need a private key or certificate.
> What does this have to do with whether TLS is "sychronous"? Perhaps
> you are thinking of some other distinction...
>
>> smtp_use_tls = yes
>> smtpd_use_tls = yes
>
> Postfix 2.2 (and legacy TLS patch for earlier releases) syntax. If
> running 2.3+ switch to the new "tls_security_level" syntax.
>
>> smtp_tls_note_starttls_offer = yes
>
> Not necessary unless you disable TLS by default.
>
>> smtpd_tls_loglevel = 1
>> smtpd_tls_received_header = yes
>
> Good.
>
>> smtpd_tls_session_cache_timeout = 3600s
>
> Not useful unless you use a cache database. Recomended location:
>
>    btree:/var/lib/postfix/smtpd_scache
>
> or with (2.5):
>
>    btree:${data_directory}/smtpd_scache
>

I adjusted my main.cf and this is now,

# tls config

smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
#smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom

Is it correct?

The option smtpd_tls_auth_only = yes, what is it used?

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Questions about TLS, SASL and Awstats

Victor Duchovni
On Thu, Jun 05, 2008 at 01:52:33PM +0200, Jose Manuel Pozo Pozo wrote:

> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

Use /var/lib/postfix ($data_directory in Postfix 2.5).

> Is it correct?
>
> The option smtpd_tls_auth_only = yes, what is it used?


http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
http://www.postfix.org/TLS_README.html#server_tls_auth

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Questions about TLS, SASL and Awstats

Wietse Venema
Victor Duchovni:

> On Thu, Jun 05, 2008 at 01:52:33PM +0200, Jose Manuel Pozo Pozo wrote:
>
> > smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
>
> Use /var/lib/postfix ($data_directory in Postfix 2.5).
>
> > Is it correct?
> >
> > The option smtpd_tls_auth_only = yes, what is it used?
>
> http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
> http://www.postfix.org/TLS_README.html#server_tls_auth

Isn't smtpd_tls_auth_only a workaround for the combined use of the
"port 25" SMTP service by MTAs (TLS can't be required) and MUAs
(TLS can be required)?

If so, it would make sense to add a note to the documentation that
the "submission" service is a better alternative.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Questions about TLS, SASL and Awstats

mouss-2
Wietse Venema wrote:

> Victor Duchovni:
>  
>> On Thu, Jun 05, 2008 at 01:52:33PM +0200, Jose Manuel Pozo Pozo wrote:
>>
>>    
>>> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
>>>      
>> Use /var/lib/postfix ($data_directory in Postfix 2.5).
>>
>>    
>>> Is it correct?
>>>
>>> The option smtpd_tls_auth_only = yes, what is it used?
>>>      
>> http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
>> http://www.postfix.org/TLS_README.html#server_tls_auth
>>    
>
> Isn't smtpd_tls_auth_only a workaround for the combined use of the
> "port 25" SMTP service by MTAs (TLS can't be required) and MUAs
> (TLS can be required)?
>  


I would say it's to prevent sending clear text passwords. if clear text
passwords are not allowed, then it should be ok to send them without TLS
(assuming  there is trust in the strength of the mechanism).

Otherwise, I think it's ok to allow relay for a "friendly network" over
port 25 if using sasl over tls. or would this qualify as submission?
> If so, it would make sense to add a note to the documentation that
> the "submission" service is a better alternative.
>
> Wietse
>