clients connecting to port 25 with ssl/tls

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

clients connecting to port 25 with ssl/tls

morbidus@rx900.org
Hello, I am in the need to catch mail clients connecting to port 25 with ssl/tls on my postfix server.

Currently my postfix server is accepting both cleartext and ssl/tls connections on port 25,
but my data center is introducing a new rule (perhaps a new firewall)
which will drop ssl/tls connections to port 25
while allowing only cleartext connection.
(port 465 is also open but that's ignored by the data center's new rule/firewall)

Since i have a lot of domains and clients using my postfix server (several thousands),
I'd prefer to generate a list
instead of calling them all and checking their clients one by one.

Do you know if that's possible ?
(I'd accept whatever method, also tcpdump / wireshark is an option)

I did some simple tests and my logs are basically the same, either using ssl or not.
The only difference is an initial:

Anonymous TLS connection established from xxx[yyy]: TLSv1.2 with cipher ECDHE-RSA-AE
S128-GCM-SHA256 (128/128 bits)

but that doesn't help much to determine the exact account involved.

Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

Wietse Venema
[hidden email]:
> Anonymous TLS connection established from xxx[yyy]: TLSv1.2 with cipher ECDHE-RSA-AE
> S128-GCM-SHA256 (128/128 bits)
>
> but that doesn't help much to determine the exact account involved.

Would logging the SASL username help? The Postfix SMTP server logs:

    queueid: client=xxx:[yyy], sasl_method=aaa, sasl_username=bbb

You just need to combine records based on the xxx:[yyy].

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

Viktor Dukhovni
In reply to this post by morbidus@rx900.org
On Mon, Feb 22, 2016 at 09:35:42PM +0100, [hidden email] wrote:

> Currently my postfix server is accepting both cleartext and ssl/tls
> connections on port 25, but my data center is introducing a new rule
> (perhaps a new firewall) which will drop ssl/tls connections to port 25
> while allowing only cleartext connection.  (port 465 is also open but
> that's ignored by the data center's new rule/firewall)

Get your submission clients to use port 587, and disable SASL AUTH and
STARTTLS on port 25.

> Since i have a lot of domains and clients using my postfix server (several thousands),
> I'd prefer to generate a list instead of calling them all and checking their clients one by one.

For maximum information, collate your submission logs:

    # perl collate /var/log/maillog |
        perl -ne 'BEGIN {$/="\n\n"} print if m{sasl_username=}'
    Feb 22 20:49:42 amnesiac postfix/smtpd[19926]:
        connect from unknown[192.0.2.1]
    Feb 22 20:49:43 amnesiac postfix/smtpd[19926]:
        Anonymous TLS connection established from unknown[192.0.2.1]:
        TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
->  Feb 22 20:49:43 amnesiac postfix/smtpd[19926]: 9309A282F4E:
->      client=unknown[192.0.2.1], sasl_method=GSSAPI, sasl_username=luser
    Feb 22 20:49:43 amnesiac postfix/cleanup[22082]: 9309A282F4E:
        message-id=<[hidden email]>
    Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E:
        from=<[hidden email]>, size=3900, nrcpt=1 (queue active)
    Feb 22 20:49:43 amnesiac postfix/virtual[7400]: 9309A282F4E:
        to=<[hidden email]>, relay=virtual, delay=0.09, delays=0.08/0.01/0/0.01,
        dsn=2.0.0, status=sent (delivered to maildir)
    Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E: removed

Make sure your port 587 submission service logs a different
syslog_name than your port 25 inbound SMTP service.  If you only
allow SASL via TLS, the only relevant data is in the single log
entry (folded across two lines for readability) with "->" in front.

--
        Viktor.

collate (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

morbidus@rx900.org
In reply to this post by Wietse Venema
On Mon, 22 Feb 2016 15:55:48 -0500 (EST)
[hidden email] (Wietse Venema) wrote:

> [hidden email]:
> > Anonymous TLS connection established from xxx[yyy]: TLSv1.2 with cipher ECDHE-RSA-AE
> > S128-GCM-SHA256 (128/128 bits)
> >
> > but that doesn't help much to determine the exact account involved.
>
> Would logging the SASL username help? The Postfix SMTP server logs:
>
>     queueid: client=xxx:[yyy], sasl_method=aaa, sasl_username=bbb
>
> You just need to combine records based on the xxx:[yyy].
>
> Wietse

Problem is that connections to 465 (with ssl/tls) appears in the logs identical to 25 (with ssl/tls)
so that would lead to a lot false positives, if i've understood correctly.

Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

morbidus@rx900.org
In reply to this post by Viktor Dukhovni
On Mon, 22 Feb 2016 20:58:51 +0000
Viktor Dukhovni <[hidden email]> wrote:

> On Mon, Feb 22, 2016 at 09:35:42PM +0100, [hidden email] wrote:
>
> > Currently my postfix server is accepting both cleartext and ssl/tls
> > connections on port 25, but my data center is introducing a new rule
> > (perhaps a new firewall) which will drop ssl/tls connections to port 25
> > while allowing only cleartext connection.  (port 465 is also open but
> > that's ignored by the data center's new rule/firewall)
>
> Get your submission clients to use port 587, and disable SASL AUTH and
> STARTTLS on port 25.
>
> > Since i have a lot of domains and clients using my postfix server (several thousands),
> > I'd prefer to generate a list instead of calling them all and checking their clients one by one.
>
> For maximum information, collate your submission logs:
>
>     # perl collate /var/log/maillog |
> perl -ne 'BEGIN {$/="\n\n"} print if m{sasl_username=}'
>     Feb 22 20:49:42 amnesiac postfix/smtpd[19926]:
>         connect from unknown[192.0.2.1]
>     Feb 22 20:49:43 amnesiac postfix/smtpd[19926]:
>         Anonymous TLS connection established from unknown[192.0.2.1]:
>         TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> ->  Feb 22 20:49:43 amnesiac postfix/smtpd[19926]: 9309A282F4E:
> ->      client=unknown[192.0.2.1], sasl_method=GSSAPI, sasl_username=luser
>     Feb 22 20:49:43 amnesiac postfix/cleanup[22082]: 9309A282F4E:
>         message-id=<[hidden email]>
>     Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E:
>         from=<[hidden email]>, size=3900, nrcpt=1 (queue active)
>     Feb 22 20:49:43 amnesiac postfix/virtual[7400]: 9309A282F4E:
>         to=<[hidden email]>, relay=virtual, delay=0.09, delays=0.08/0.01/0/0.01,
>         dsn=2.0.0, status=sent (delivered to maildir)
>     Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E: removed
>
> Make sure your port 587 submission service logs a different
> syslog_name than your port 25 inbound SMTP service.  If you only
> allow SASL via TLS, the only relevant data is in the single log
> entry (folded across two lines for readability) with "->" in front.
>
> --
> Viktor.

Very creative thank you :)
Makes sense, I'll do some tests.
Thanks for the support.
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

Viktor Dukhovni
In reply to this post by morbidus@rx900.org
On Mon, Feb 22, 2016 at 10:07:51PM +0100, [hidden email] wrote:

> Problem is that connections to 465 (with ssl/tls) appears in the logs identical to 25 (with ssl/tls)
> so that would lead to a lot false positives, if i've understood correctly.

Fix that.  The relevant commented-out sample entries in master.cf are:

    #submission inet n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Note the "-o syslog_name" overrides.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

morbidus@rx900.org
On Mon, 22 Feb 2016 21:13:24 +0000
Viktor Dukhovni <[hidden email]> wrote:

> On Mon, Feb 22, 2016 at 10:07:51PM +0100, [hidden email] wrote:
>
> > Problem is that connections to 465 (with ssl/tls) appears in the logs identical to 25 (with ssl/tls)
> > so that would lead to a lot false positives, if i've understood correctly.
>
> Fix that.  The relevant commented-out sample entries in master.cf are:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     #  -o smtpd_tls_security_level=encrypt
>     #  -o smtpd_sasl_auth_enable=yes
>     #  -o smtpd_reject_unlisted_recipient=no
>     #  -o smtpd_client_restrictions=$mua_client_restrictions
>     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>     #  -o smtpd_recipient_restrictions=
>     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>     #  -o milter_macro_daemon_name=ORIGINATING
>     #smtps     inet  n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/smtps
>     #  -o smtpd_tls_wrappermode=yes
>     #  -o smtpd_sasl_auth_enable=yes
>     #  -o smtpd_reject_unlisted_recipient=no
>     #  -o smtpd_client_restrictions=$mua_client_restrictions
>     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>     #  -o smtpd_recipient_restrictions=
>     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>     #  -o milter_macro_daemon_name=ORIGINATING
>
> Note the "-o syslog_name" overrides.
>
> --
> Viktor.

Got it. Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

Rich Wales
Regarding port 465 --

The last time I checked, iPhones and iPads refused to do STARTTLS on
mail submission.  Since I use an iPad, I had no choice but to enable
submission via port 465 (SSL) on my mail server -- in addition to
STARTTLS on port 587 for use by other, saner devices.

I would love, of course, to hear either that I was mistaken, or that
Apple has enabled 587/STARTTLS on current iOS devices.

Rich Wales
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

Charles Sprickman

> On Feb 22, 2016, at 5:11 PM, Rich Wales <[hidden email]> wrote:
>
> Regarding port 465 --
>
> The last time I checked, iPhones and iPads refused to do STARTTLS on
> mail submission.  Since I use an iPad, I had no choice but to enable
> submission via port 465 (SSL) on my mail server -- in addition to
> STARTTLS on port 587 for use by other, saner devices.

That’s odd.  I’ve not used an iOS device since 6.x, but at that point I was
running six accounts, and all were using port 587 and STARTTLS.

Charles

>
> I would love, of course, to hear either that I was mistaken, or that
> Apple has enabled 587/STARTTLS on current iOS devices.
>
> Rich Wales
> [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: clients connecting to port 25 with ssl/tls

Viktor Dukhovni
In reply to this post by Rich Wales

> On Feb 22, 2016, at 5:11 PM, Rich Wales <[hidden email]> wrote:
>
> The last time I checked, iPhones and iPads refused to do STARTTLS on
> mail submission.  Since I use an iPad, I had no choice but to enable
> submission via port 465 (SSL) on my mail server -- in addition to
> STARTTLS on port 587 for use by other, saner devices.
>
> I would love, of course, to hear either that I was mistaken, or that
> Apple has enabled 587/STARTTLS on current iOS devices.

You're mistaken, the mail client on iPads and iPhones has supported
STARTTLS for a good many years now.

--
        Viktor.