Using port 25 in a Postfix SSL environment

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Using port 25 in a Postfix SSL environment

Mufit Eribol
Hi,

My postfix is set up to use SSL on port 465. It works fine except one
problem. My RAID software can not establish communication over TLS on
port 465. It can use port 25 (or any port without TLS).

How can I get Postfix to use port 25 (or any other port without TLS) for
RAID software (or just for one specific mail account) keeping all the
other users using port 465 only. Whatever I do, I don't want normal
accounts use connection without TLS.

Thanks in advance,
Mufit

Here is the results of "postconf -n" and "master.cf"

[root@server ~]# postconf -n
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:127.0.0.1:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps  
$virtual_alias_maps
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 30720000
mydestination = onart.com.tr, localhost.localdomain, localhost,
mysql:/etc/postfix/mysql-mydestination.cf
mydomain = onart.com.tr
myhostname = server.onart.com.tr
mynetworks = 127.0.0.0/8 # 10.0.0.0/8 #hme
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = example.com.tr ESMTP
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/blackwhite.map, permit
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
smtpd_error_sleep_time = 60
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_invalid_hostname, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_client_access
hash:/etc/postfix/blackwhite.map,       reject_non_fqdn_sender,
reject_unknown_sender_domain,   permit
smtpd_soft_error_limit = 60
smtpd_tls_CAfile = /etc/pki/tls/certs/smtpd.cert
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/smtpd.cert
smtpd_tls_key_file = /etc/pki/tls/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual,
mysql:/etc/postfix/mysql-virtual.cf

[root@server ~]# vi /etc/postfix/master.cf
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#This is the before-filter smtpd...it passes content to amavisd on port
10024
smtp      inet  n       -       n       -       -       smtpd
smtp-amavis unix -      -       n       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

#This is the after-filter smtpd, it receives mail from amavisd to port 10025
127.0.0.1:10025 inet n  -       n       -       -       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o strict_rfc821_envelopes=yes
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
   -o smtpd_bind_address=127.0.0.1

#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter=
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local


Reply | Threaded
Open this post in threaded view
|

Re: Using port 25 in a Postfix SSL environment

Noel Jones-2
Mufit Eribol wrote:
> Hi,
>
> My postfix is set up to use SSL on port 465. It works fine except one
> problem. My RAID software can not establish communication over TLS on
> port 465. It can use port 25 (or any port without TLS).
>


The easiest solution might be to use stunnel to allow your
raid software to connect to some port that tunnels to port 465.

Here's some instructions on setting this up.
http://www.postfix.org/TLS_README.html#client_smtps
The intent of these instructions is using postfix to connect
to a legacy system on port 465, but it can be easily adapted
to your purpose, just change the stunnel "connect" point to
your postfix server's port.


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Using port 25 in a Postfix SSL environment

Barney Desmond
In reply to this post by Mufit Eribol
2008/7/31 Mufit Eribol <[hidden email]>:
> My postfix is set up to use SSL on port 465. It works fine except one
> problem. My RAID software can not establish communication over TLS on port
> 465. It can use port 25 (or any port without TLS).

Seeing as you've got the usual smtpd running on port25, why not just
let the RAID software connect on port 25? You can use firewall rules
to only allow the machine with the RAID software to use port 25. This
of course doesn't work if users are on the same machine as the RAID
software.

> How can I get Postfix to use port 25 (or any other port without TLS) for
> RAID software (or just for one specific mail account) keeping all the other
> users using port 465 only. Whatever I do, I don't want normal accounts use
> connection without TLS.

Without authentication, you can't tell different users apart. Besides,
postfix has no real concept of accounts, you're either allowed or
denied according to an authentication backend somewhere. Anyway,
that's all irrelevant because you setup a secure connection before
anyone ever starts talking about authentication.