Stop sasl mail submission on port 25

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Stop sasl mail submission on port 25

edg973
Hello dear Postfix users,
I am managing a postfix server (version 2.5.5), but I did not installed it.
This server accept mail submission on port 25 after sasl authentication... I
would like to stop it, because this is a security issue. External servers on
internet are trying brute force attacks on passwords...
It is also configured to use port 465 smtp over tls for the users of the
domain of my local lan.

According this links :
https://unix.stackexchange.com/questions/145499/postfix-disable-authentication-through-port-25
It is possible to stop sasl mail submission on port 25.

I am not familiar with mail system, is it the good way to do ?
I am also wondering if I could add support for smtps port 587 in master.cf
(for the moment only 465 is set).
Can both 465 and 587 ports be configured at same time ?

Best Regards





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Stop sasl mail submission on port 25

Wietse Venema
edg973:

> Hello dear Postfix users,
> I am managing a postfix server (version 2.5.5), but I did not installed it.
> This server accept mail submission on port 25 after sasl authentication... I
> would like to stop it, because this is a security issue. External servers on
> internet are trying brute force attacks on passwords...
> It is also configured to use port 465 smtp over tls for the users of the
> domain of my local lan.
>
> According this links :
> https://unix.stackexchange.com/questions/145499/postfix-disable-authentication-through-port-25
> It is possible to stop sasl mail submission on port 25.
>
> I am not familiar with mail system, is it the good way to do ?
> I am also wondering if I could add support for smtps port 587 in master.cf
> (for the moment only 465 is set).
> Can both 465 and 587 ports be configured at same time ?

Unfortunately, that link shows how to turn off TLS and SASL on port
25, which is not what you want. And yes, port 25 (smtp), 465 (smtps)
and 587 (submission) can be enabled at the same time.

Below is a Postfix 2.6.0 fragment of the master.cf file. You are
expected to uncomment the relevant sections. This assumes that you
have no smtpd_sasl_auth_enable settings in main.cf.

        Wietse

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
Reply | Threaded
Open this post in threaded view
|

Re: Stop sasl mail submission on port 25

edg973
Hello,

Thank you for your help

Unfortunatly, in my config, there is in main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

In master.cf, there is :
smtp      inet  n       -       -       -       -       smtpd -o
content_filter=spamassassin
smtps   inet    n       -       n       -       -       smtpd   -o    
smtpd_tls_wrappermode=yes       -o      smtpd_sasl_auth_enable=yes

My goal would be to get :
port 25 : normal internet mail reception (no sasl authentication)
port 465 : smtps with sasl authentication
port 587 : submission with sasl authentication

Why "smtpd_sasl_auth_enable settings in main.cf" could not allowing this ?

Best regards





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Stop sasl mail submission on port 25

Benny Pedersen-2
edg973 skrev den 2018-09-14 02:51:

> Unfortunatly, in my config, there is in main.cf:
> smtpd_sasl_auth_enable = yes

this means all incomming ports now support sasl auth, so thats why bots
try it on port 25

> smtpd_sasl_security_options = noanonymous

ok in main.cf

> Why "smtpd_sasl_auth_enable settings in main.cf" could not allowing
> this ?

qll settings in main.cf works global in master.cf

learn to live with it :=)

hint read master.cf on how to enabled sasl auth non global

more help needed ?
Reply | Threaded
Open this post in threaded view
|

Re: Stop sasl mail submission on port 25

Matus UHLAR - fantomas
In reply to this post by edg973
On 13.09.18 17:51, edg973 wrote:
>Unfortunatly, in my config, there is in main.cf:
>smtpd_sasl_auth_enable = yes

change this to "no"

>In master.cf, there is :

>smtp      inet  n       -       -       -       -       smtpd -o
>content_filter=spamassassin
>smtps   inet    n       -       n       -       -       smtpd   -o
>smtpd_tls_wrappermode=yes       -o      smtpd_sasl_auth_enable=yes

1. where is "submission"?
2. you should modify this according to what Wietse sent:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

note the leading spaces in the "-o" lines. The proposed smtps service
contains the same options as you already have so you won't lose anything.

Also note that both services here require encryption (good) and disable
sending mail without authentication (good).

>My goal would be to get :
>port 25 : normal internet mail reception (no sasl authentication)
>port 465 : smtps with sasl authentication
>port 587 : submission with sasl authentication
>
>Why "smtpd_sasl_auth_enable settings in main.cf" could not allowing this ?

"smtpd_sasl_auth_enable=yes" in main.cf enables sasl authentication
globally, which you don't want. That's why you should turn it off and only
enable it explicitly for submission and smtps services.

It's better to configure postfix according to proposed config, so you don't
have too many changes when upgrading later.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
Reply | Threaded
Open this post in threaded view
|

Re: Stop sasl mail submission on port 25

edg973
Hi Fantomas,

It's very kind of you for all the details of your answer.
I would like just a bit more information.

1. If I change "smtpd_sasl_auth_enable=yes" in main.cf,
Is there any issue with "smtpd_sasl_security_options = noanonymous" ?
This option will be apply to submission and smtps in master.cf ?

2. In master.cf, what "-o milter_macro_daemon_name=ORIGINATING" is ?
Is it with my postfix 2.5.5 compatible ?

Best regards





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html