SASL auth only on port 25

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

SASL auth only on port 25

Simon Wilson-7
Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS  
5) mail server as I get quite a few hits on the open ports from bot  
nets trying to auth. Getting ready to migrate off it - more on that  
later.

Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587  
requires TLS and sasl auth for MUA submission. The server is  
functioning fine for mail submission on 587 and MTA function on port  
25, but I am seeing saslauthd authentication failures in maillog e.g.:

Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from  
unknown[45.123.221.70]
Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS  
connection from unknown[45.123.221.70]
Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection  
established from unknown[45.123.221.70]: TLSv1 with cipher  
DHE-RSA-AES256-SHA (256/256 bits)
Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for  
simon/simonandkate.net: Bind to ldap server failed (invalid  
user/password or insufficient access) (-7)
Apr 26 18:16:27 server04 saslauthd[1953]: do_auth         : auth  
failure: [user=simon] [service=smtp] [realm=simonandkate.net]  
[mech=ldap] [reason=Unknown]
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL  
authentication failure: Password verification failed
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:  
unknown[45.123.221.70]: SASL PLAIN authentication failed:  
authentication failure

and I don't know if it's because they are knocking on 587, or still  
knocking on port 25 and trying to auth because I have my port 25  
config wrong... :-/

I have a couple of questions:

1. At the moment when a bot knocks on the postfix server I see  
postfix/smtpd[pid] etc. in maillog: can that message show if the knock  
is on port 25 or 587?
2. Is my config correct for my desired outcome (below)?

I'm about to migrate mail to a new server with postfix on CentOS 7,  
but I need to make sure I understand this better and have it right  
before changing, not just blindly changing things.

Would appreciate some advice if anyone would see fit to comment.
Thanks
Simon.



extract from master.cf:

# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp      inet  n       -       n       -       -       smtpd
     -o smtpd_tls_security_level=may
     -o smtpd_sasl_auth_enable=no

# submission port
submission inet n       -       n       -       -       smtpd
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject

extract from main.cf:

# Enable sasl auth.
# Master.cf sets this separately for 25 and 587, so commented out here
# smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s

--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Michael Segel
I’d upgrade the version of Centos 5 is kind of old.


> On Apr 27, 2017, at 8:51 AM, Simon Wilson <[hidden email]> wrote:
>
> Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail server as I get quite a few hits on the open ports from bot nets trying to auth. Getting ready to migrate off it - more on that later.
>
> Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 requires TLS and sasl auth for MUA submission. The server is functioning fine for mail submission on 587 and MTA function on port 25, but I am seeing saslauthd authentication failures in maillog e.g.:
>
> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from unknown[45.123.221.70]
> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from unknown[45.123.221.70]
> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for simon/simonandkate.net: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth         : auth failure: [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] [reason=Unknown]
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication failure: Password verification failed
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication failure
>
> and I don't know if it's because they are knocking on 587, or still knocking on port 25 and trying to auth because I have my port 25 config wrong... :-/
>
> I have a couple of questions:
>
> 1. At the moment when a bot knocks on the postfix server I see postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on port 25 or 587?
> 2. Is my config correct for my desired outcome (below)?
>
> I'm about to migrate mail to a new server with postfix on CentOS 7, but I need to make sure I understand this better and have it right before changing, not just blindly changing things.
>
> Would appreciate some advice if anyone would see fit to comment.
> Thanks
> Simon.
>
>
>
> extract from master.cf:
>
> # std port for incoming port 25. No SASL auth allowed
> # smtpd_sasl_auth_enable=no is default, but left here for clarity
> smtp      inet  n       -       n       -       -       smtpd
>    -o smtpd_tls_security_level=may
>    -o smtpd_sasl_auth_enable=no
>
> # submission port
> submission inet n       -       n       -       -       smtpd
>    -o smtpd_tls_security_level=encrypt
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> extract from main.cf:
>
> # Enable sasl auth.
> # Master.cf sets this separately for 25 and 587, so commented out here
> # smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
>
> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
>
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
>
> --
> Simon Wilson
> M: 0400 12 11 16
>

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Noel Jones-2
In reply to this post by Simon Wilson-7
On 4/27/2017 8:51 AM, Simon Wilson wrote:

> Port 25 is for MTA unauthenticated traffic, with optional TLS, and
> 587 requires TLS and sasl auth for MUA submission. The server is
> functioning fine for mail submission on 587 and MTA function on port
> 25, but I am seeing saslauthd authentication failures in maillog e.g.:
>
> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from
> unknown[45.123.221.70]
> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS
> connection from unknown[45.123.221.70]
> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection
> established from unknown[45.123.221.70]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for
> simon/simonandkate.net: Bind to ldap server failed (invalid
> user/password or insufficient access) (-7)
> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth         : auth
> failure: [user=simon] [service=smtp] [realm=simonandkate.net]
> [mech=ldap] [reason=Unknown]
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL
> authentication failure: Password verification failed
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:
> unknown[45.123.221.70]: SASL PLAIN authentication failed:
> authentication failure
>

> 1. At the moment when a bot knocks on the postfix server I see
> postfix/smtpd[pid] etc. in maillog: can that message show if the
> knock is on port 25 or 587?

In master.cf submission entry:
 -o syslog_name=postfix/submission


> 2. Is my config correct for my desired outcome (below)?

Looks OK, but the "Bind to ldap server failed" errors would seem to
be a config error in your saslauthd.


  -- Noel Jones


>
> I'm about to migrate mail to a new server with postfix on CentOS 7,
> but I need to make sure I understand this better and have it right
> before changing, not just blindly changing things.
>
> Would appreciate some advice if anyone would see fit to comment.
> Thanks
> Simon.
>
>
>
> extract from master.cf:
>
> # std port for incoming port 25. No SASL auth allowed
> # smtpd_sasl_auth_enable=no is default, but left here for clarity
> smtp      inet  n       -       n       -       -       smtpd
>     -o smtpd_tls_security_level=may
>     -o smtpd_sasl_auth_enable=no
>
> # submission port
> submission inet n       -       n       -       -       smtpd
>     -o smtpd_tls_security_level=encrypt
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> extract from main.cf:
>
> # Enable sasl auth.
> # Master.cf sets this separately for 25 and 587, so commented out here
> # smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
>
> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
>
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
>

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni
In reply to this post by Simon Wilson-7
On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:

> 1. At the moment when a bot knocks on the postfix server I see
> postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
> port 25 or 587?

Sufficiently new versions of the stock Postfix master.cf file have:

    #submission inet n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/submission
    # ...

You would use that, but I believe this requires Postfix 2.4 or
later, as in 2.3 the master.cf option overrides take place after
logging is already configured, and this setting has no effect.

> 2. Is my config correct for my desired outcome (below)?
>
> extract from master.cf:
>
> # std port for incoming port 25. No SASL auth allowed
> # smtpd_sasl_auth_enable=no is default, but left here for clarity
> smtp      inet  n       -       n       -       -       smtpd
>     -o smtpd_tls_security_level=may
>     -o smtpd_sasl_auth_enable=no

Looks fine.

>
> # submission port
> submission inet n       -       n       -       -       smtpd
>     -o smtpd_tls_security_level=encrypt
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject

In the stock Postfix 3.3-dev master.cf (commented out) submission
entry, we have:

    #submission inet n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_tls_auth_only=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Most of these are applicable to a large range of releases, likely
including what ships with your newer O/S.

> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
>
> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem

An empty CAfile for the SMTP server typically works better.  After
all you're not (and typicall SHOULD NOT be) requesting client certs.
Just make sure your cert file contains a complete chain, not just
the leaf certificate.

> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s

Looks fine.  The last setting is unnecessary.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni
In reply to this post by Noel Jones-2
On Thu, Apr 27, 2017 at 09:56:39AM -0500, Noel Jones wrote:

> Looks OK, but the "Bind to ldap server failed" errors would seem to
> be a config error in your saslauthd.

Not necessarily.  One common method of varifying user passwords is
to attempt to "bind" to LDAP with the username and password in
question.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
In reply to this post by Noel Jones-2
>> Port 25 is for MTA unauthenticated traffic, with optional TLS, and
>> 587 requires TLS and sasl auth for MUA submission. The server is
>> functioning fine for mail submission on 587 and MTA function on port
>> 25, but I am seeing saslauthd authentication failures in maillog e.g.:
>>
>> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from
>> unknown[45.123.221.70]
>> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS
>> connection from unknown[45.123.221.70]
>> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection
>> established from unknown[45.123.221.70]: TLSv1 with cipher
>> DHE-RSA-AES256-SHA (256/256 bits)
>> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for
>> simon/simonandkate.net: Bind to ldap server failed (invalid
>> user/password or insufficient access) (-7)
>> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth         : auth
>> failure: [user=simon] [service=smtp] [realm=simonandkate.net]
>> [mech=ldap] [reason=Unknown]
>> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL
>> authentication failure: Password verification failed
>> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:
>> unknown[45.123.221.70]: SASL PLAIN authentication failed:
>> authentication failure
>>
>
>> 1. At the moment when a bot knocks on the postfix server I see
>> postfix/smtpd[pid] etc. in maillog: can that message show if the
>> knock is on port 25 or 587?
>
> In master.cf submission entry:
>  -o syslog_name=postfix/submission
>
>

Aha! Just what I needed... thanks Noel.

>> 2. Is my config correct for my desired outcome (below)?
>
> Looks OK, but the "Bind to ldap server failed" errors would seem to
> be a config error in your saslauthd.
>
>
>   -- Noel Jones

That's the knocker trying to auth as simon (not a bad guess given my  
domain name and email address, which is guaranteed to be out there on  
bot lists somewhere) and failing, so the saslauth fails. I assume so  
anyway... if I auth to 587 as me properly it all works fine and binds  
to LDAP no problems. testsaslauthd all works, and only auth'd users  
can submit mail.

Thanks.

>
>
>>
>> I'm about to migrate mail to a new server with postfix on CentOS 7,
>> but I need to make sure I understand this better and have it right
>> before changing, not just blindly changing things.
>>
>> Would appreciate some advice if anyone would see fit to comment.
>> Thanks
>> Simon.
>>
>>
>>
>> extract from master.cf:
>>
>> # std port for incoming port 25. No SASL auth allowed
>> # smtpd_sasl_auth_enable=no is default, but left here for clarity
>> smtp      inet  n       -       n       -       -       smtpd
>>     -o smtpd_tls_security_level=may
>>     -o smtpd_sasl_auth_enable=no
>>
>> # submission port
>> submission inet n       -       n       -       -       smtpd
>>     -o smtpd_tls_security_level=encrypt
>>     -o smtpd_sasl_auth_enable=yes
>>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>
>> extract from main.cf:
>>
>> # Enable sasl auth.
>> # Master.cf sets this separately for 25 and 587, so commented out here
>> # smtpd_sasl_auth_enable = yes
>> smtpd_sasl_local_domain =
>> broken_sasl_auth_clients = yes
>>
>> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
>> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
>> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
>>
>> smtpd_tls_security_level = may
>> smtpd_tls_auth_only = yes
>> smtpd_tls_loglevel = 1
>> smtpd_tls_session_cache_timeout = 3600s
>>


----- End message from Noel Jones <[hidden email]> -----



--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
In reply to this post by Viktor Dukhovni
----- Message from Viktor Dukhovni <[hidden email]> ---------
     Date: Thu, 27 Apr 2017 15:07:02 +0000
     From: Viktor Dukhovni <[hidden email]>
Reply-To: [hidden email]
  Subject: Re: SASL auth only on port 25
       To: [hidden email]


> On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:
>
>> 1. At the moment when a bot knocks on the postfix server I see
>> postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
>> port 25 or 587?
>
> Sufficiently new versions of the stock Postfix master.cf file have:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     # ...
>
> You would use that, but I believe this requires Postfix 2.4 or
> later, as in 2.3 the master.cf option overrides take place after
> logging is already configured, and this setting has no effect.
>
>> 2. Is my config correct for my desired outcome (below)?
>>
>> extract from master.cf:
>>
>> # std port for incoming port 25. No SASL auth allowed
>> # smtpd_sasl_auth_enable=no is default, but left here for clarity
>> smtp      inet  n       -       n       -       -       smtpd
>>     -o smtpd_tls_security_level=may
>>     -o smtpd_sasl_auth_enable=no
>
> Looks fine.
>
>>
>> # submission port
>> submission inet n       -       n       -       -       smtpd
>>     -o smtpd_tls_security_level=encrypt
>>     -o smtpd_sasl_auth_enable=yes
>>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> In the stock Postfix 3.3-dev master.cf (commented out) submission
> entry, we have:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     #  -o smtpd_tls_security_level=encrypt
>     #  -o smtpd_sasl_auth_enable=yes
>     #  -o smtpd_tls_auth_only=yes
>     #  -o smtpd_reject_unlisted_recipient=no
>     #  -o smtpd_client_restrictions=$mua_client_restrictions
>     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>     #  -o smtpd_recipient_restrictions=
>     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>     #  -o milter_macro_daemon_name=ORIGINATING
>
> Most of these are applicable to a large range of releases, likely
> including what ships with your newer O/S.
>
>> smtpd_sasl_local_domain =
>> broken_sasl_auth_clients = yes
>>
>> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
>> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
>> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
>
> An empty CAfile for the SMTP server typically works better.  After
> all you're not (and typicall SHOULD NOT be) requesting client certs.
> Just make sure your cert file contains a complete chain, not just
> the leaf certificate.
>
>> smtpd_tls_security_level = may
>> smtpd_tls_auth_only = yes
>> smtpd_tls_loglevel = 1
>> smtpd_tls_session_cache_timeout = 3600s
>
> Looks fine.  The last setting is unnecessary.
>
> --
> Viktor.


----- End message from Viktor Dukhovni <[hidden email]> -----

Lots of great information in there, thanks Viktor. Shame about the  
logfile entry only being in 2.4 and later, but I'm really only  
'fixing' this old box prior to going live on the new box and  
understanding what it does, so that will work fine on the new Postfix  
config.

Thanks all for responses.
Simon


--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
In reply to this post by Viktor Dukhovni

   #  -o smtpd_client_restrictions=$mua_client_restrictions
   #  -o smtpd_helo_restrictions=$mua_helo_restrictions
   #  -o smtpd_sender_restrictions=$mua_sender_restrictions

 

I cannot find much about these variables - do these just set to what has already been loaded from those sections of main.cf, the idea being they can be appended to here?

Simon.

___________
Simon Wilson
M: 0400 12 11 16
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni

> On Apr 27, 2017, at 11:54 AM, Simon Wilson <[hidden email]> wrote:
>
>>  #  -o smtpd_client_restrictions=$mua_client_restrictions
>>    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>>    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>>
>>>  
> I cannot find much about these variables - do these just set to what has already been loaded from those sections of main.cf, the idea being they can be appended to here?

The idea is that you can configure these "made up" parameter names in main.cf,
instead of bloating master.cf with complex settings.

If you don't define them, they'll default "empty", which is fine.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
----- Message from Viktor Dukhovni <[hidden email]> ---------
     Date: Thu, 27 Apr 2017 12:00:22 -0400
     From: Viktor Dukhovni <[hidden email]>
Reply-To: Postfix users <[hidden email]>
  Subject: Re: SASL auth only on port 25
       To: Postfix users <[hidden email]>


>> On Apr 27, 2017, at 11:54 AM, Simon Wilson <[hidden email]> wrote:
>>
>>>  #  -o smtpd_client_restrictions=$mua_client_restrictions
>>>    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>>>    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>>>
>>>>
>> I cannot find much about these variables - do these just set to  
>> what has already been loaded from those sections of main.cf, the  
>> idea being they can be appended to here?
>
> The idea is that you can configure these "made up" parameter names  
> in main.cf,
> instead of bloating master.cf with complex settings.
>
> If you don't define them, they'll default "empty", which is fine.
>
> --
> Viktor.


----- End message from Viktor Dukhovni <[hidden email]> -----

Got it. Thanks Viktor.

Simon

--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni
In reply to this post by Viktor Dukhovni

> On Apr 27, 2017, at 12:21 PM, Michael Segel <[hidden email]> wrote:
>
> You raise a very valid point in some of your emails.
>
> There’s a lot of garbage “How To” when it comes to postfix and dovecot and others…
>
> What are some good resources?  (e-books, blogs, etc …)
>
> What made my debugging difficult is that the last time I set up a postfix server was 5+ years ago, and I don’t have a lot of free time or cycles to relearn postfix.
>
> Suggestions would be helpful.

What's available are the somewhat dated (but still very useful) books,
http://www.postfix.org/documentation.html, and the list archives.
After reading either of the books, you can brush up on the newer
features in one of the postfix.org tutorials.

The most important things to peruse are:

  * http://www.postfix.org/ADDRESS_REWRITING_README.html
  * http://www.postfix.org/ADDRESS_CLASS_README.html
  * http://www.postfix.org/OVERVIEW.html
  * http://www.postfix.org/master.5.html

The top portion of http://www.postfix.org/postconf.5.html
covers general main.cf syntax.

After that, SASL_README, TLS_README, SOHO_README, ... cover
more focused topics.

Be especially weary of third-party HOWTOs that recommend fashionably
"strong" TLS settings.  These are most likely to be counterproductive.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
In reply to this post by Viktor Dukhovni
----- Message from Viktor Dukhovni <[hidden email]> ---------
     Date: Thu, 27 Apr 2017 15:07:02 +0000
     From: Viktor Dukhovni <[hidden email]>
Reply-To: [hidden email]
  Subject: Re: SASL auth only on port 25
       To: [hidden email]


> On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:
>
>> 1. At the moment when a bot knocks on the postfix server I see
>> postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
>> port 25 or 587?
>
> Sufficiently new versions of the stock Postfix master.cf file have:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     # ...
>
> You would use that, but I believe this requires Postfix 2.4 or
> later, as in 2.3 the master.cf option overrides take place after
> logging is already configured, and this setting has no effect.
>
>> 2. Is my config correct for my desired outcome (below)?
>>
>> extract from master.cf:
>>
>> # std port for incoming port 25. No SASL auth allowed
>> # smtpd_sasl_auth_enable=no is default, but left here for clarity
>> smtp      inet  n       -       n       -       -       smtpd
>>     -o smtpd_tls_security_level=may
>>     -o smtpd_sasl_auth_enable=no
>
> Looks fine.
>
>>
>> # submission port
>> submission inet n       -       n       -       -       smtpd
>>     -o smtpd_tls_security_level=encrypt
>>     -o smtpd_sasl_auth_enable=yes
>>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> In the stock Postfix 3.3-dev master.cf (commented out) submission
> entry, we have:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     #  -o smtpd_tls_security_level=encrypt
>     #  -o smtpd_sasl_auth_enable=yes
>     #  -o smtpd_tls_auth_only=yes
>     #  -o smtpd_reject_unlisted_recipient=no
>     #  -o smtpd_client_restrictions=$mua_client_restrictions
>     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>     #  -o smtpd_recipient_restrictions=
>     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>     #  -o milter_macro_daemon_name=ORIGINATING
>
> Most of these are applicable to a large range of releases, likely
> including what ships with your newer O/S.
>
>> smtpd_sasl_local_domain =
>> broken_sasl_auth_clients = yes
>>
>> smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
>> smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
>> smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
>
> An empty CAfile for the SMTP server typically works better.  After
> all you're not (and typicall SHOULD NOT be) requesting client certs.
> Just make sure your cert file contains a complete chain, not just
> the leaf certificate.
>
>> smtpd_tls_security_level = may
>> smtpd_tls_auth_only = yes
>> smtpd_tls_loglevel = 1
>> smtpd_tls_session_cache_timeout = 3600s
>
> Looks fine.  The last setting is unnecessary.
>
> --
> Viktor.


----- End message from Viktor Dukhovni <[hidden email]> -----

Putting all of this advice and learning together with other reading,  
and the CentOS7 distribution master.cf file, I have set the following  
on my NEW Postfix 2.10 / CentOS7 server. The config I had on the old  
CentOS5 server had restrictions all in recipient checks, so at the  
moment I have replicated that. I have noticed varying opinions on that.

The config all appears to work on internal network, but I can't test  
it fully (externally, open relay) until I redirect the port forwarding.

Objective is port 25 MTA only, 587 SASL auth over TLS only. I've  
enabled postscreen in monitor mode at the moment. I've added a blank  
set smtpd_relay_restrictions as per the comments on postfix.org about  
that being added in 2.10+ and having it blank enabling previous  
behaviour for smtpd_recipients_restrictions. I think I have that  
correct.

I'm hopeful that once I have postscreen enabled fully the amount of  
zombie knocking will decrease.

Thanks
Simon.


master.cf:

smtp      inet  n       -       n       -       1       postscreen
     -o smtpd_tls_security_level=may
     -o smtpd_sasl_auth_enable=no
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_tls_auth_only=yes
     -o smtpd_reject_unlisted_recipient=no
     -o smtpd_client_restrictions=$mua_client_restrictions
     -o smtpd_helo_restrictions=$mua_helo_restrictions
     -o smtpd_sender_restrictions=$mua_sender_restrictions
     -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

main.cf:

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
mua_client_restrictions =
mua_helo_restrictions =
mua_sender_restrictions =

smtpd_helo_required = yes
disable_vrfy_command = yes

# added in postfix 2.10, set to blank lets recipient restrictions work  
as before
smtpd_relay_restrictions =

smtpd_recipient_restrictions =
         check_client_access hash:/etc/postfix/client_checks,
         permit_mynetworks,
         permit_sasl_authenticated,
         check_sender_access hash:/etc/postfix/sender_access,
         check_recipient_access hash:/etc/postfix/recipient_access.outside,
         reject_unauth_destination,
         reject_unauth_pipelining,
         reject_invalid_helo_hostname,
         reject_non_fqdn_helo_hostname,
         reject_non_fqdn_sender,
         reject_unknown_sender_domain,
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         reject_rbl_client zen.spamhaus.org,
         check_policy_service unix:private/policy-spf
         permit

# Data restrictions:
smtpd_data_restrictions =
         reject_unauth_pipelining
         permit

smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
# CA cert to be sorted out

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1

delay_warning_time = 2h
bounce_template_file = /etc/postfix/bounce.cf

data_directory = /var/lib/postfix
policy-spf_time_limit = 3600s

################
## Postscreen ##
################
#postscreen config (separate discussion!)

--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni

> On Apr 27, 2017, at 12:45 PM, Simon Wilson <[hidden email]> wrote:
>
> smtpd_recipient_restrictions =
>        check_client_access hash:/etc/postfix/client_checks,
>        permit_mynetworks,
>        permit_sasl_authenticated,
>        check_sender_access hash:/etc/postfix/sender_access,

That check looks risky here.  You're making access decisions based on
an easily spoofable sender address, prior to blocking relaying with
"reject_unauth_destination".  That table had better not have any
OK entries, but in any case find some way to put this below
reject_unauth_destination.

>        check_recipient_access hash:/etc/postfix/recipient_access.outside,
>        reject_unauth_destination,
>        reject_unauth_pipelining,
>        reject_invalid_helo_hostname,
>        reject_non_fqdn_helo_hostname,
>        reject_non_fqdn_sender,
>        reject_unknown_sender_domain,
>        reject_non_fqdn_recipient,
>        reject_unknown_recipient_domain,
>        reject_rbl_client zen.spamhaus.org,
>        check_policy_service unix:private/policy-spf
>        permit

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
----- Message from Viktor Dukhovni <[hidden email]> ---------
     Date: Thu, 27 Apr 2017 13:01:16 -0400
     From: Viktor Dukhovni <[hidden email]>
Reply-To: Postfix users <[hidden email]>
  Subject: Re: SASL auth only on port 25
       To: Postfix users <[hidden email]>


>> On Apr 27, 2017, at 12:45 PM, Simon Wilson <[hidden email]> wrote:
>>
>> smtpd_recipient_restrictions =
>>        check_client_access hash:/etc/postfix/client_checks,
>>        permit_mynetworks,
>>        permit_sasl_authenticated,
>>        check_sender_access hash:/etc/postfix/sender_access,
>
> That check looks risky here.  You're making access decisions based on
> an easily spoofable sender address, prior to blocking relaying with
> "reject_unauth_destination".  That table had better not have any
> OK entries, but in any case find some way to put this below
> reject_unauth_destination.
>

Got it - because someone could potentially say "Hey I've got MAIL FROM  
xxxxx@wherever" and if that email address is in that sender_access  
file, they could then use my server as a relay, because the  
'reject_unauth_destination' check has not been evaluated.

Thank you for the comment, I will rectify that.

Simon.

>>        check_recipient_access hash:/etc/postfix/recipient_access.outside,
>>        reject_unauth_destination,
>>        reject_unauth_pipelining,
>>        reject_invalid_helo_hostname,
>>        reject_non_fqdn_helo_hostname,
>>        reject_non_fqdn_sender,
>>        reject_unknown_sender_domain,
>>        reject_non_fqdn_recipient,
>>        reject_unknown_recipient_domain,
>>        reject_rbl_client zen.spamhaus.org,
>>        check_policy_service unix:private/policy-spf
>>        permit
>
> --
> Viktor.

--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
These settings in main.cf are just applying to port 25 smtpd, as  
smtpd_recipient_restrictions are separately applied to 587 in  
master.cf...

>>> smtpd_recipient_restrictions =
>>>       check_client_access hash:/etc/postfix/client_checks,
>>>       permit_mynetworks,
>>>       permit_sasl_authenticated,

...so I can remove the one above, right, as it doesn't apply to port  
25? There is no way that it can be met, as smtpd_sasl_auth_enable is  
set to NO by default. I assume it's harmless to leave, but won't serve  
any purpose?

>>>       check_recipient_access hash:/etc/postfix/recipient_access.outside,
>>>       reject_unauth_destination,
>>>       check_sender_access hash:/etc/postfix/sender_access,
>>>       reject_unauth_pipelining,
>>>       reject_invalid_helo_hostname,
>>>       reject_non_fqdn_helo_hostname,
>>>       reject_non_fqdn_sender,
>>>       reject_unknown_sender_domain,
>>>       reject_non_fqdn_recipient,
>>>       reject_unknown_recipient_domain,
>>>       reject_rbl_client zen.spamhaus.org,
>>>       check_policy_service unix:private/policy-spf
>>>       permit
>>


--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni

> On Apr 28, 2017, at 8:54 AM, Simon Wilson <[hidden email]> wrote:
>
>>>>      permit_sasl_authenticated,
>
> ...so I can remove the one above, right, as it doesn't apply to port 25? There is no way that it can be met, as smtpd_sasl_auth_enable is set to NO by default. I assume it's harmless to leave, but won't serve any purpose?

Think clearly, and trust cold hard logic over any answer this list may provide. :-)

--
        Viktor.

P.S.  If the above is not clear, yes your analysis is correct.
Reply | Threaded
Open this post in threaded view
|

Next steps to migrating, WAS Re: SASL auth only on port 25

Simon Wilson-7
>>>>>      permit_sasl_authenticated,
>>
>> ...so I can remove the one above, right, as it doesn't apply to  
>> port 25? There is no way that it can be met, as  
>> smtpd_sasl_auth_enable is set to NO by default. I assume it's  
>> harmless to leave, but won't serve any purpose?
>
> Think clearly, and trust cold hard logic over any answer this list  
> may provide. :-)
>
> --
> Viktor.
>
> P.S.  If the above is not clear, yes your analysis is correct.


----- End message from Viktor Dukhovni <[hidden email]> -----

:-D

Thanks Viktor. Always hard when you have to explain a punchline... ;-)

Now I am confident I have a reasonable understanding of the Poostfix  
config, next steps for migrating to my CentOS7 new Postfix server...

I have validated that the new server can send and receive, including  
tests for delivery to its local new cyrus-imapd - by command-line  
mailx to a SASL-verifiable local user, and to a non-verifiable one  
(which was rejected), from both localhost and other hosts on the local  
network.

My migration plan is to break it down into stages:

1. Outbound SMTP first (COMPLETED) - set outbound SMTP (port 587) from  
Horde (on another server) to the new CentOS 7 / postfix server. As the  
new server also thinks it is destination for my domain names (in  
preparation for its new role), set it to deliver mail for local users  
back to the old server's cyrus-imapd for now over IP LMTP instead of  
to the new empty cyrus-imapd on local socket LMTP.

In new server's main.cf:
mailbox_transport = lmtp:server04:lmtp

Old server's cyrus.conf:
lmtp cmd="lmtpd -a" listen="lmtp" prefork=1

2. Then do inbound SMTP (postscreen!) Not done yet.

3. Once SMTP is all good on the new server, migrate mailboxes to  
cyrus-imapd on new server, point Horde to the new IMAP server, and set  
new postfix to deliver to local cyrus-imapd socket again.

All sound reasonable?

The big test will be inbound SMTP, but that will have to wait until I  
can get on to my router and change port forward rules.




--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

@lbutlr
In reply to this post by Simon Wilson-7
On 2017-04-27 (07:51 MDT), Simon Wilson <[hidden email]> wrote:
>
> Hi all, I'm tightening up my (pre-postscreen postfix 2.3.3 on CentOS 5) mail server as I get quite a few hits on the open ports from bot nets trying to auth. Getting ready to migrate off it - more on that later.
>
> Port 25 is for MTA unauthenticated traffic, with optional TLS, and 587 requires TLS and sasl auth for MUA submission. The server is functioning fine for mail submission on 587 and MTA function on port 25, but I am seeing saslauthd authentication failures in maillog e.g.:

My recommendation is to take all mail submission from local users off port 25 and only allow those connections on 587. Leave port 25 only open for MTA traffic with optional TLS.

>
> Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from unknown[45.123.221.70]
> Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS connection from unknown[45.123.221.70]
> Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection established from unknown[45.123.221.70]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for simon/simonandkate.net: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
> Apr 26 18:16:27 server04 saslauthd[1953]: do_auth         : auth failure: [user=simon] [service=smtp] [realm=simonandkate.net] [mech=ldap] [reason=Unknown]
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL authentication failure: Password verification failed
> Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: unknown[45.123.221.70]: SASL PLAIN authentication failed: authentication failure
>
> and I don't know if it's because they are knocking on 587, or still knocking on port 25 and trying to auth because I have my port 25 config wrong... :-/

Change the syslog for submission in master.cf by adding

submission inet  n       -       n       -       -       smtpd
 [ … ]
    -o syslog_name=submit-tls



--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.


Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Viktor Dukhovni

> On May 3, 2017, at 10:16 AM, @lbutlr <[hidden email]> wrote:
>
> -o syslog_name=submit-tls

The recommended override, that is most likely to work well with log parsers is:

        -o syslog_name=postfix/submission

or in multi-instance environments:

        -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/submission

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SASL auth only on port 25

Simon Wilson-7
In reply to this post by Simon Wilson-7
>>> On Apr 27, 2017, at 12:45 PM, Simon Wilson <[hidden email]> wrote:
>>>
>>> smtpd_recipient_restrictions =
>>>       check_client_access hash:/etc/postfix/client_checks,
>>>       permit_mynetworks,
>>>       permit_sasl_authenticated,
>>>       check_sender_access hash:/etc/postfix/sender_access,
>>
>> That check looks risky here.  You're making access decisions based on
>> an easily spoofable sender address, prior to blocking relaying with
>> "reject_unauth_destination".  That table had better not have any
>> OK entries, but in any case find some way to put this below
>> reject_unauth_destination.
>>
>
> Got it - because someone could potentially say "Hey I've got MAIL  
> FROM xxxxx@wherever" and if that email address is in that  
> sender_access file, they could then use my server as a relay,  
> because the 'reject_unauth_destination' check has not been evaluated.
>
> Thank you for the comment, I will rectify that.
>
> Simon.
>
>>>       check_recipient_access hash:/etc/postfix/recipient_access.outside,
>>>       reject_unauth_destination,
>>>       reject_unauth_pipelining,
>>>       reject_invalid_helo_hostname,
>>>       reject_non_fqdn_helo_hostname,
>>>       reject_non_fqdn_sender,
>>>       reject_unknown_sender_domain,
>>>       reject_non_fqdn_recipient,
>>>       reject_unknown_recipient_domain,
>>>       reject_rbl_client zen.spamhaus.org,
>>>       check_policy_service unix:private/policy-spf
>>>       permit
>>
>> --
>> Viktor.
>
> --
> Simon Wilson

I rectified the order as Viktor suggested back in April, and all now  
working to plan, including a client IP filter in the  
check_client_access file for local servers to skip amavisd. So I now  
have:

smtpd_recipient_restrictions =
         check_client_access hash:/etc/postfix/client_checks,
         permit_mynetworks,
         check_recipient_access hash:/etc/postfix/recipient_access.outside,
         reject_unauth_destination,
         check_sender_access hash:/etc/postfix/sender_access,
         reject_unauth_pipelining,
         reject_invalid_helo_hostname,
         reject_non_fqdn_helo_hostname,
         reject_non_fqdn_sender,
         reject_unknown_sender_domain,
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         reject_rbl_client zen.spamhaus.org,
         check_policy_service unix:private/policy-spf
         permit

I have a follow-up question on smtpd_relay_restrictions. At the moment I have:

smtpd_relay_restrictions =

smtpd_recipient_restrictions =
         check_client_access hash:/etc/postfix/client_checks,
         (etc.)

This is an install that has migrated from a Postfix install that was  
pre-2.10, so for compatibility with what I had before it's all still  
in smtpd_recipient_restrictions with an explicitly empty  
smtpd_relay_restrictions.

To move forward, what checks should I move into the relay restrictions?

Simon

--
Simon Wilson
M: 0400 12 11 16

12