Understanding the importance of submission

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Understanding the importance of submission

Yassine Chaouche
Dear postfix,

I don't seem to get the idea of submission, I know I must be wrong, b/c
so many articles out there preach to use a different port for
submission, but I hope to find some argument in your replies that will
make me change my mind.
If I understand correctly, submission is a means for mail server admins
to enforce some policies on port 587 w/o interfering with mail relay
which occurs on port 25. These policies are mainly :

1/ Force TLS on all incoming connexions
2/ Force users to authenticate

While 1/ can't be enforced on port 25, 2/ can be enforced for relay,
e.g. with :

smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions =  permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination

So the only thing that I need submission port for seems to be to force
TLS connexions, right ?

Anything else I am missing there ?

Another claim for submission is that it reduces spam, but to my
understanding that's only for *sending* spam (relaying), and that's
because the admin enforces user authentication for relay, which can
safely be done on port 25 anyways (otherwise we'd be an open relay). As
for *reciving* spam (we're the final destination), it can still be
delivered unauthed from port 25, so that won't stop *receiving* spam,
will it ?

I'm all confused.

Yassine.

Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Patrick Ben Koetter-2
* Yassine Chaouche <[hidden email]>:
> Dear postfix,
>
> I don't seem to get the idea of submission, I know I must be wrong, b/c so
> many articles out there preach to use a different port for submission, but I

Use submission on TCP/587 for MUA to MTA traffic.
Use smtp on TCP/25 for MTA to MTA traffic.

Run authenticated MUA friendly policies on Submission. Run MTA policies on
smtp port.

Access providers may block outbound TCP/25 connections, because infected
enduser devices try to transport messages on that port to remote MTAs. They
won't block TCP/597 because submission requires SMTP AUTH, which requires the
sender to possess login/pass – something most spammers don't have.

p@rick






> hope to find some argument in your replies that will make me change my mind.
> If I understand correctly, submission is a means for mail server admins to
> enforce some policies on port 587 w/o interfering with mail relay which
> occurs on port 25. These policies are mainly :
>
> 1/ Force TLS on all incoming connexions
> 2/ Force users to authenticate
>
> While 1/ can't be enforced on port 25, 2/ can be enforced for relay, e.g.
> with :
>
> smtpd_sasl_auth_enable = yes
> smtpd_relay_restrictions =  permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination
>
> So the only thing that I need submission port for seems to be to force TLS
> connexions, right ?
>
> Anything else I am missing there ?
>
> Another claim for submission is that it reduces spam, but to my
> understanding that's only for *sending* spam (relaying), and that's because
> the admin enforces user authentication for relay, which can safely be done
> on port 25 anyways (otherwise we'd be an open relay). As for *reciving* spam
> (we're the final destination), it can still be delivered unauthed from port
> 25, so that won't stop *receiving* spam, will it ?
>
> I'm all confused.
>
> Yassine.
>

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Yassine Chaouche
On 3/20/19 4:18 PM, Patrick Ben Koetter wrote:
> [...] Use submission on TCP/587 for MUA to MTA traffic.
Why ?
> [...]
>
> Run authenticated MUA friendly policies on Submission. Run MTA policies on
> smtp port.
What kind ?
> Access providers may block outbound TCP/25 connections, because infected
> enduser devices try to transport messages on that port to remote MTAs. They
> won't block TCP/597 because submission requires SMTP AUTH, which requires the
> sender to possess login/pass – something most spammers don't have.
Requiring authentication to relay on 25 will also get rid of spam.

Yassine.

Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Alice Wonder
In reply to this post by Patrick Ben Koetter-2
On 3/20/19 8:18 AM, Patrick Ben Koetter wrote:

> * Yassine Chaouche <[hidden email]>:
>> Dear postfix,
>>
>> I don't seem to get the idea of submission, I know I must be wrong, b/c so
>> many articles out there preach to use a different port for submission, but I
>
> Use submission on TCP/587 for MUA to MTA traffic.
> Use smtp on TCP/25 for MTA to MTA traffic.
>
> Run authenticated MUA friendly policies on Submission. Run MTA policies on
> smtp port.
>
> Access providers may block outbound TCP/25 connections, because infected
> enduser devices try to transport messages on that port to remote MTAs. They
> won't block TCP/597 because submission requires SMTP AUTH, which requires the
> sender to possess login/pass – something most spammers don't have.
>
> p@rick
>
>

Note that submission on Port 587 is deprecated, it is now "official" to
use Port 465 with implicit TLS.

Using Port 587 isn't going to stop working, of course, but...

But anyway yes, port 25 is frequently blocked by consumer ISPs. It's
blocked by mine, for example.
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Yassine Chaouche

On 3/20/19 4:26 PM, Alice Wonder wrote:
> [...]Note that submission on Port 587 is deprecated, it is now
> "official" to use Port 465 with implicit TLS. [...]

Oh, I thought it was the other way arround and most people now are
dropping 465 in favor of 587 with STARTTLS to support old/odd clients
who don't support TLS. Could you point me to the/a reference ?

Yassine.


Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Ralph Seichter-2
In reply to this post by Yassine Chaouche
* Yassine Chaouche:

> So the only thing that I need submission port for seems to be to force
> TLS connexions, right ?

You already mentioned having different policies, so the possibilities
are numerous. Having the dedicated submission port allows me to easily
force encryption, force authentication (password, client certificates),
limit users to certain sender domains, add DKIM signatures, to name just
some examples. I can also flat out reject envelope senders foo@mydomain
on port 25, add DNS BL/WL checks, various milters, etc.

In my experience it is easier to configure (and understand) how your
Postfix instances are operating when inbound and outbound emails are
entering via separate ports.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Ralph Seichter-2
In reply to this post by Alice Wonder
* Alice Wonder:

> Note that submission on Port 587 is deprecated, it is now "official" to
> use Port 465 with implicit TLS.

As far as I can see, RFC 8314 is only in the proposed standards stage,
so no, the use of port 587 is not deprecated.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Mike.
In reply to this post by Ralph Seichter-2
On 3/20/2019 11:39 AM, Ralph Seichter wrote:

> * Yassine Chaouche:
>
>> So the only thing that I need submission port for seems to be to force
>> TLS connexions, right ?
>
> You already mentioned having different policies, so the possibilities
> are numerous. Having the dedicated submission port allows me to easily
> force encryption, force authentication (password, client certificates),
> limit users to certain sender domains, add DKIM signatures, to name just
> some examples. I can also flat out reject envelope senders foo@mydomain
> on port 25, add DNS BL/WL checks, various milters, etc.
>
> In my experience it is easier to configure (and understand) how your
> Postfix instances are operating when inbound and outbound emails are
> entering via separate ports.

The similarity between the two ports is that they both allow a means of
entry for an email into the server.

Beside that, they can (and usually do) have differing policies regarding
that entry.

Keeping the two entry streams separate makes it easier to put the
differing policies into place and to enforce those policies.

If someone, for whatever reason, has very similar policies for the two
ports, then for that person, the distinction of having two separate
ports becomes less apparent.

Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

A. Schulze
In reply to this post by Patrick Ben Koetter-2


Am 20.03.19 um 16:18 schrieb Patrick Ben Koetter:
> Use submission on TCP/587 for MUA to MTA traffic.

Btw:

RFC 8314 describe Implicit TLS for POP3, IMAP and Submission
on ports 995, 993 and 465. Works fine the usual modern MUAs
and eliminate the opportunity for downgrades while talking plaintext+STARTTLS

Andreas
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Viktor Dukhovni
In reply to this post by Alice Wonder
On Wed, Mar 20, 2019 at 08:26:47AM -0700, Alice Wonder wrote:

> Note that submission on Port 587 is deprecated, it is now "official" to
> use Port 465 with implicit TLS.

That's mostly wishful (and perhaps even slightly misguided) thinking
on the part of the authors of one particular IETF RFC.  In practice,
port 587 is alive and well, and there's nothing wrong with it that
switching to 465 fixes.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Viktor Dukhovni
In reply to this post by Yassine Chaouche
On Wed, Mar 20, 2019 at 04:01:24PM +0100, Yassine Chaouche wrote:

> I don't seem to get the idea of submission, I know I must be wrong, b/c
> so many articles out there preach to use a different port for
> submission, but I hope to find some argument in your replies that will
> make me change my mind.

The real difference is that on the submission port you can pass the
ORIGINATING macro to DKIM milters to sign *outbound* mail, while
on the inbound relay port you'll DKIM verification of remotely
originated email.

You would also front-end smtpd(8) with postscreen on port 25, and
apply RBLs that reject clients listed in RBLs, ... but not do either
on 587.

Your configuration is also simplified by separating the rules for
authorizing outbound email from your users, from the logic that
fights spam from untrusted remote users.

I find divide and conquer to be the best way to fight complexity,
to the point of often running a separate Postfix instance for
outbound email, not just a separate service on a separate port.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Viktor Dukhovni
In reply to this post by Ralph Seichter-2
> On Mar 20, 2019, at 11:51 AM, Ralph Seichter <[hidden email]> wrote:
>
> As far as I can see, RFC 8314 is only in the proposed standards stage,
> so no, the use of port 587 is not deprecated.

That's one of the common misperceptions of of the IETF standards
process.  Proposed standards are IETF standards.  Full standards
are those standards that have matured to the point where they
are known to be widely used, broadly interoperable and stable.

But there's not IETF police to enforce the standards, and not
all the standards succeed in the marketplace.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Matus UHLAR - fantomas
In reply to this post by Yassine Chaouche
>On 3/20/19 4:18 PM, Patrick Ben Koetter wrote:
>>Access providers may block outbound TCP/25 connections, because infected
>>enduser devices try to transport messages on that port to remote MTAs. They
>>won't block TCP/597 because submission requires SMTP AUTH, which requires the
>>sender to possess login/pass – something most spammers don't have.

On 20.03.19 16:26, Yassine Chaouche wrote:
>Requiring authentication to relay on 25 will also get rid of spam.

it will also get rid of incoming mail from other mail servers...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Ralph Seichter-2
In reply to this post by Viktor Dukhovni
* Viktor Dukhovni:

> That's one of the common misperceptions of of the IETF standards
> process. Proposed standards are IETF standards.

I intrepret https://tools.ietf.org/html/rfc7127#section-3 differently:

  Proposed Standards are of such quality that implementations can be
  deployed in the Internet. [...] Proposed Standards may be revised if
  problems are found or better solutions are identified, when experiences
  with deploying implementations of such technologies at scale is gathered.

That, to me, means at this stage the RFC is not "binding". Given your
personal experience, I am sure you know what you are talking about, but
I am surprised.

> But there's not IETF police to enforce the standards, and not all the
> standards succeed in the marketplace.

Indeed.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Bill Cole-3
In reply to this post by Yassine Chaouche
On 20 Mar 2019, at 11:01, Yassine Chaouche wrote:

> Dear postfix,
>
> I don't seem to get the idea of submission, I know I must be wrong,
> b/c so many articles out there preach to use a different port for
> submission, but I hope to find some argument in your replies that will
> make me change my mind.
> If I understand correctly, submission is a means for mail server
> admins to enforce some policies on port 587 w/o interfering with mail
> relay which occurs on port 25. These policies are mainly :
>
> 1/ Force TLS on all incoming connexions
> 2/ Force users to authenticate
>
> While 1/ can't be enforced on port 25, 2/ can be enforced for relay,
> e.g. with :
>
> smtpd_sasl_auth_enable = yes
> smtpd_relay_restrictions =  permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination
>
> So the only thing that I need submission port for seems to be to force
> TLS connexions, right ?
>
> Anything else I am missing there ?

1. Eliminates the usual rationale for broad authentication by IP (i.e.
permit_mynetworks) which opens most Postfix systems to abuse by networks
that the admin very much WANTS to be trustworthy but which often are
not. One can do this without segregating submission but doing so spurs
the question: "Why permit_mynetworks?" The usual answer in the modern
world is that there's no good reason for permit_mynetworks, or at least
there's no reason to include submitters' networks in mynetworks.

2. Allows enforcement of SPF and SPF-like policy for local domain
senders on port 25.

3. Simplifies the common need to distinguish between "inbound" and
"outbound" mail in filtering, policy, and signing tools.

4. Eliminates the need to allow authentication on port 25, reducing the
attack surface for credential-stuffing and brute-force tactics.


> Another claim for submission is that it reduces spam, but to my
> understanding that's only for *sending* spam (relaying), and that's
> because the admin enforces user authentication for relay, which can
> safely be done on port 25 anyways (otherwise we'd be an open relay).

Spammer tactics that take advantage of 'permit_mynetworks' (and similar
policies for other MTAs) are common.

> As for *reciving* spam (we're the final destination), it can still be
> delivered unauthed from port 25, so that won't stop *receiving* spam,
> will it ?

No, but if you don't need to allow your own users to relay through port
25, you can use tools that are designed to reject mail coming directly
from end-user devices (e.g. Spamhaus PBL, banning suspect reverse
hostname patterns, etc.) which are made cumbersome or weakened by having
end-user submissions and inbound mail flowing through a common
transport.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Yassine Chaouche
In reply to this post by Matus UHLAR - fantomas

On 3/20/19 7:35 PM, Matus UHLAR - fantomas wrote:
> On 20.03.19 16:26, Yassine Chaouche wrote:
>> Requiring authentication to relay on 25 will also get rid of spam.
>
> it will also get rid of incoming mail from other mail servers...

Which we want anyway, unless we're final destination, no ?

Yassine.

Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Alice Wonder
On 3/21/19 1:18 AM, Yassine Chaouche wrote:

>
> On 3/20/19 7:35 PM, Matus UHLAR - fantomas wrote:
>> On 20.03.19 16:26, Yassine Chaouche wrote:
>>> Requiring authentication to relay on 25 will also get rid of spam.
>>
>> it will also get rid of incoming mail from other mail servers...
>
> Which we want anyway, unless we're final destination, no ?
>
> Yassine.
>

If it is not an MX server than there is no need to use port 25 at all.

If it is an MX server then it MUST accept unauthenticated SMTP on port
25. MTA clients relaying mail to an MX server do not authenticate.
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Matus UHLAR - fantomas
In reply to this post by Yassine Chaouche
>On 3/20/19 7:35 PM, Matus UHLAR - fantomas wrote:
>>On 20.03.19 16:26, Yassine Chaouche wrote:
>>>Requiring authentication to relay on 25 will also get rid of spam.
>>
>>it will also get rid of incoming mail from other mail servers...

On 21.03.19 09:18, Yassine Chaouche wrote:
>Which we want anyway, unless we're final destination, no ?

requiring authentication on port 25 will reject all mail without
authentication, even if you are the final destination.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Matus UHLAR - fantomas
In reply to this post by Bill Cole-3
I have ignored the original e-mail,

>On 20 Mar 2019, at 11:01, Yassine Chaouche wrote:
>>I don't seem to get the idea of submission, I know I must be wrong,
>>b/c so many articles out there preach to use a different port for
>>submission, but I hope to find some argument in your replies that
>>will make me change my mind.
>>If I understand correctly, submission is a means for mail server
>>admins to enforce some policies on port 587 w/o interfering with
>>mail relay which occurs on port 25. These policies are mainly :
>>
>>1/ Force TLS on all incoming connexions
>>2/ Force users to authenticate
>>
>>While 1/ can't be enforced on port 25, 2/ can be enforced for relay,
>>e.g. with :

neither of those can be forced on port 25.
Both of those can be forces on submission ports

>>smtpd_sasl_auth_enable = yes

this does NOT force authentication, it only enables it.

>>smtpd_relay_restrictions =  permit_mynetworks,
>>permit_sasl_authenticated, reject_unauth_destination

neither does this.  this only disables unauthenticated relaying, but allows
incoming mail/spam from unauthenticated clients.

>>So the only thing that I need submission port for seems to be to
>>force TLS connexions, right ?
>>
>>Anything else I am missing there ?

you should force authentication on submission ports via
"smtpd_client_restrictions= permit_sasl_authenticated, reject"

otherwise you could receive spam via submission ports (yes, spammers do
that) from end-users that were blocked from connecting to port 25 by their
ISP.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
Reply | Threaded
Open this post in threaded view
|

Re: Understanding the importance of submission

Bill Cole-3
In reply to this post by Matus UHLAR - fantomas
On 21 Mar 2019, at 8:21, Matus UHLAR - fantomas wrote:

>> On 3/20/19 7:35 PM, Matus UHLAR - fantomas wrote:
>>> On 20.03.19 16:26, Yassine Chaouche wrote:
>>>> Requiring authentication to relay on 25 will also get rid of spam.
>>>
>>> it will also get rid of incoming mail from other mail servers...
>
> On 21.03.19 09:18, Yassine Chaouche wrote:
>> Which we want anyway, unless we're final destination, no ?
>
> requiring authentication on port 25 will reject all mail without
> authentication, even if you are the final destination.


You seem to have missed the phrase "to relay" in the >>>>> line above.

Requiring authentication to relay on *ANY* port is essential. Even if
you do authentication by IP (e.g. permit_mynetworks) or other
out-of-band mechanisms, failing to require authentication to relay will
eventually lead to a system being abused as an open relay.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
12