Restricting port 25 with cidr table

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting port 25 with cidr table

Nikolaos Milas
Hello,

As our internal (main) mail server only accepts mail from two mail
gateways and users submit their mail through submission port (587), I am
planning to explicitly allow accepting mail on port 25 ONLY by our mail
gateway servers (and the mail server itself). So, in main.cf:

smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr,reject

where /etc/postfix/gwservers.cidr:

(True IPs have been masked with 'x's since they are public.)

2001:648:2011:xxxx::xxx    OK
195.251.xxx.xxx            OK
195.251.xxx.xx             OK
127.0.0.1                  OK

My question is: Is it acceptable in a cidr table to add IPv6 loopback
address (::1) too? Should I add it? (SMTP is listening on all
interfaces.) In documentation for cidr tables I read that '...an IPv6
network address is a sequence of three to eight hexadecimal octet pairs
separated by ":"' which makes it a bit unclear whether IPv6 loopback
address is acceptable.

Thanks,
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Reindl Harald-2


Am 20.01.2012 09:18, schrieb Nikolaos Milas:
> Hello,
>
> As our internal (main) mail server only accepts mail from two mail gateways and users submit their mail through
> submission port (587), I am planning to explicitly allow accepting mail on port 25 ONLY by our mail gateway servers
> (and the mail server itself). So, in main.cf:

why are you not only opening from the allowed addresses in
the packet-filter (iptables)? so you have no log-entries
from spammers all over the world and any protection should
generally happen as wide as possible before the service


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Charles Marcus
On 2012-01-20 3:31 AM, Reindl Harald <[hidden email]> wrote:

> Am 20.01.2012 09:18, schrieb Nikolaos Milas:
>> As our internal (main) mail server only accepts mail from two mail
>> gateways and users submit their mail through submission port (587),
>> I am planning to explicitly allow accepting mail on port 25 ONLY by
>> our mail gateway servers (and the mail server itself). So, in
>> main.cf:
>> where /etc/postfix/gwservers.cidr:
>>
>> (True IPs have been masked with 'x's since they are public.)
>>
>> 2001:648:2011:xxxx::xxx    OK
>> 195.251.xxx.xxx            OK
>> 195.251.xxx.xx             OK
>> 127.0.0.1                  OK

Don't forget the last line should be something like:

# reject all clients not matching anything above, and be damn sure
# to comment out the last reject under recipient_restrictions
#
0.0.0.0/0         reject unauthorized client, please use our MX

> why are you not only opening from the allowed addresses in
> the packet-filter (iptables)? so you have no log-entries
> from spammers all over the world and any protection should
> generally happen as wide as possible before the service

I agree wholeheartedly and I do this as well, but I also believe in
multi-layered security, so I would *definitely* also lock it down in
postfix as above as well...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Nikolaos Milas
On 20/1/2012 12:55 μμ, Charles Marcus wrote:

> # reject all clients not matching anything above, and be damn sure
> # to comment out the last reject under recipient_restrictions
> #
> 0.0.0.0/0         reject unauthorized client, please use our MX
>

You mean to remove "reject" from *smtpd_client_restrictions*, not from
smtpd_recipient_restrictions. So, if we would be using:
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr,reject
we should rather just use:
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr

Right?

>> why are you not only opening from the allowed addresses in
>> the packet-filter (iptables)? so you have no log-entries
>> from spammers all over the world and any protection should
>> generally happen as wide as possible before the service
>
> I agree wholeheartedly and I do this as well, but I also believe in
> multi-layered security, so I would *definitely* also lock it down in
> postfix as above as well...
>

I agree that iptables-based filtering should be done as well.

But what about ::1 in the cidr table? Will it be OK??

Thanks,
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Reindl Harald-2
In reply to this post by Charles Marcus


Am 20.01.2012 11:55, schrieb Charles Marcus:

>> why are you not only opening from the allowed addresses in
>> the packet-filter (iptables)? so you have no log-entries
>> from spammers all over the world and any protection should
>> generally happen as wide as possible before the service
>
> I agree wholeheartedly and I do this as well, but I also believe in multi-layered
> security, so I would *definitely* also lock it down in postfix as above as well...

i normally too

if you have no MX records to your machine because they are all
to the spamfirewall you do not get much attempts to deliver mail
directly to it which are bruned down with greylisting/RBL

we have our own spamfirewall in front and only one domain points
with MX directly to the mailserrver, well i see no other delivery
attempts and they are mostly killed beause EHLO checks

i would put the spamfirewalls in "mynetworks", lock down
the amchine with iptables and for the case somethings goes
wrong with iptables the settings below eating spam

smtpd_helo_restrictions = permit_mynetworks
 permit_sasl_authenticated
 reject_non_fqdn_helo_hostname
 reject_invalid_helo_hostname
 reject_unknown_helo_hostname

smtpd_recipient_restrictions = permit_mynetworks
 ....... YOUR-SETTINGS ............
 reject_invalid_hostname
 reject_unknown_reverse_client_hostname
 reject_unauth_pipelining
 reject_rbl_client dnsbl-1.uceprotect.net
 check_policy_service unix:/var/spool/postfix/postgrey/socket



signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Nikolaos Milas
In reply to this post by Nikolaos Milas
On 20/1/2012 3:24 μμ, Nikolaos Milas wrote:

>> # reject all clients not matching anything above, and be damn sure
>> # to comment out the last reject under recipient_restrictions
>> #
>> 0.0.0.0/0         reject unauthorized client, please use our MX
>>
>
> You mean to remove "reject" from *smtpd_client_restrictions*, not from
> smtpd_recipient_restrictions. So, if we would be using:
> smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/gwservers.cidr,reject
> we should rather just use:
> smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/gwservers.cidr

By the way, I fail to see any difference between the two methods. It
seems to me the same to use:
   smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr
   where gwservers.cidr is:
   xxx.xxx.xxx.xxx   OK
   xxx.xxx.xxx.xxx   OK
   0.0.0.0/0         reject unauthorized client, please use our MX
or:
   smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr,reject
   where gwservers.cidr is:
   xxx.xxx.xxx.xxx   OK
   xxx.xxx.xxx.xxx   OK

Aren't the two methods practically the same?

Thanks,
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Wietse Venema
Nikolaos Milas:
[ Charset UTF-8 unsupported, converting... ]

> On 20/1/2012 3:24 ??, Nikolaos Milas wrote:
>
> >> # reject all clients not matching anything above, and be damn sure
> >> # to comment out the last reject under recipient_restrictions
> >> #
> >> 0.0.0.0/0         reject unauthorized client, please use our MX
> >>
> >
> > You mean to remove "reject" from *smtpd_client_restrictions*, not from
> > smtpd_recipient_restrictions. So, if we would be using:
> > smtpd_client_restrictions = check_client_access
> > cidr:/etc/postfix/gwservers.cidr,reject
> > we should rather just use:
> > smtpd_client_restrictions = check_client_access
> > cidr:/etc/postfix/gwservers.cidr
>
> By the way, I fail to see any difference between the two methods. It
> seems to me the same to use:
>    smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/gwservers.cidr
>    where gwservers.cidr is:
>    xxx.xxx.xxx.xxx   OK
>    xxx.xxx.xxx.xxx   OK
>    0.0.0.0/0         reject unauthorized client, please use our MX

This "passes" IPv6 clients that match no rule.

> or:
>    smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/gwservers.cidr,reject
>    where gwservers.cidr is:
>    xxx.xxx.xxx.xxx   OK
>    xxx.xxx.xxx.xxx   OK
>
> Aren't the two methods practically the same?

This stops IPv6 clients that match no rule.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Nikolaos Milas
On 20/1/2012 10:54 μμ, Wietse Venema wrote:

>> >  seems to me the same to use:
>> >      smtpd_client_restrictions = check_client_access
>> >  cidr:/etc/postfix/gwservers.cidr
>> >      where gwservers.cidr is:
>> >      xxx.xxx.xxx.xxx   OK
>> >      xxx.xxx.xxx.xxx   OK
>> >      0.0.0.0/0         reject unauthorized client, please use our MX
> This "passes" IPv6 clients that match no rule.
>

Thanks Wietsie.

I understand.

However, we could formulate gwservers.cidr as (for example):

   xxx.xxx.xxx.xxx   OK
   xxx.xxx.xxx.xxx   OK
   127.0.0.1         OK
   xxxx:xxxx:xxxx:xxxx::xxxx:xxxx   OK
   xxxx:xxxx:xxxx:xxxx::xxxx        OK
   ::1                              OK
   0.0.0.0/0         reject unauthorized client, please use our MX
   ::/0              reject unauthorized client, please use our MX

and then, using the above file with:
   smtpd_client_restrictions = check_client_access cidr:/etc/postfix/gwservers.cidr
would be practically the same with using the following with a gwservers.cidr*without*  the last two lines:
   smtpd_client_restrictions = check_client_access cidr:/etc/postfix/gwservers.cidr,reject
of course only if there is nothing else before the ending ",reject" (in the latter).

Additionally, it wouldn't hurt to add ",reject" to the former, but it would never be evaluated.

So, I would tend to think it's more flexible to use the second type, because we could later add more rules before the ending ",reject".

Am I right in the above?

Thanks again, to both you and Charles who assisted me in clarifying things.
Nick


Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Charles Marcus
In reply to this post by Wietse Venema
On 1/20/2012 3:54 PM, Wietse Venema wrote:
> On 20/1/2012 3:24 ??, Nikolaos Milas wrote:
>> By the way, I fail to see any difference between the two methods. It
>> seems to me the same to use:
>>    smtpd_client_restrictions = check_client_access
>> cidr:/etc/postfix/gwservers.cidr
>>    where gwservers.cidr is:
>>    xxx.xxx.xxx.xxx   OK
>>    xxx.xxx.xxx.xxx   OK
>>    0.0.0.0/0         reject unauthorized client, please use our MX

> This "passes" IPv6 clients that match no rule.

Hmmm... ok, can I add another line that would block IPv6 clients too?
I'm clueless about IPv6 at the moment (I know, time is running out to
get educated)...

currently my system (gentoo) has IPv6 totally disabled everywhere
(kernel and all), but that can't last forever...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Charles Marcus
In reply to this post by Nikolaos Milas
On 1/21/2012 3:58 AM, Nikolaos Milas wrote:

> However, we could formulate gwservers.cidr as (for example):
>
>   xxx.xxx.xxx.xxx   OK
>   xxx.xxx.xxx.xxx   OK
>   127.0.0.1         OK
>   xxxx:xxxx:xxxx:xxxx::xxxx:xxxx   OK
>   xxxx:xxxx:xxxx:xxxx::xxxx        OK
>   ::1                              OK
>   0.0.0.0/0         reject unauthorized client, please use our MX
>   ::/0              reject unauthorized client, please use our MX

Missed this... did you ever get an answer as to whether or not this
would work?

Since the default 'final action' for postfix is accept not reject, I'd
rather not change that if unnecessary.

Thanks,

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Restricting port 25 with cidr table

Nikolaos Milas
On 26/1/2012 1:09 πμ, Charles Marcus wrote:

>> However, we could formulate gwservers.cidr as (for example):
>> >  
>> >     xxx.xxx.xxx.xxx   OK
>> >     xxx.xxx.xxx.xxx   OK
>> >     127.0.0.1         OK
>> >     xxxx:xxxx:xxxx:xxxx::xxxx:xxxx   OK
>> >     xxxx:xxxx:xxxx:xxxx::xxxx        OK
>> >     ::1                              OK
>> >     0.0.0.0/0         reject unauthorized client, please use our MX
>> >     ::/0              reject unauthorized client, please use our MX
> Missed this... did you ever get an answer as to whether or not this
> would work?
>
> Since the default 'final action' for postfix is accept not reject, I'd
> rather not change that if unnecessary.

Hi Charles,

I missed this mail. I never got any answer, yet I am pretty confident it
will work.

However, I will opt for the second method:

/etc/postfix/gwservers.cidr:
   xxx.xxx.xxx.xxx   OK
   xxx.xxx.xxx.xxx   OK
   127.0.0.1         OK
   xxxx:xxxx:xxxx:xxxx::xxxx:xxxx   OK
   xxxx:xxxx:xxxx:xxxx::xxxx        OK
   ::1                              OK

and
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/gwservers.cidr,reject

If there is no match in the cidr lookup, there is no default implied
accept, but the check moves to the next statement among those in
smtpd_client_restrictions which in this case is a reject.

I hope someone more experienced here can confirm this.

All the best,
Nick