relaying and authentication

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

relaying and authentication

Thomas Schachtner
Hi there,

I have a problem with my postfix mail server.
I am sure that there are THOUSANDS of pages where this problem is
addressed and also solved, as this seems to be a problem which many
people might have.
Unfortunately I did not find a solution for the problem as it is too
difficult (for me) to explain the matter within a google search-string.

My problem is as follows:

(in order to make it easier to understand, I included an ASCII graphics
picture - maybe it helps)

+-----+   +------+        +------+
I     I   I      I        I      I
I CLI I---I SRV1 I--INET--I SRV2 I
I     I   I      I        I      I
+-----+   +------+        +------+

I have a server (SRV1) with some clients (CLI).
These clients send emails through SRV1.
The mails are either delivered locally (if the destination domain is
also hosted on SRV1) or they are forwarded to another mail server (SRV2)
which then delivers the mail to its inboxes (relaying).

SRV1 shall also receive mails. These mails may come from a client (CLI)
or from another server (SRV2). (The clients may be anywhere in the
internet. They are not on the same subnet)

In order to secure this environment, I want to use SMTP-AUTH.
But this does not work as I wanted it to...

Here are the different scenarios:

(1) CLI wants to send mails to SRV2 and use SRV1 as relay
-->  AUTH needed --> OK

(2) CLI wants so send mails to another user (only SRV1 involved)
--> no AUTH needed --> that's not what I want AUTH shall be on!

(3) SRV2 acts as relay and wants to forward mails to SRV1 as their
destination address is managed by SRV1
--> no AUTH needed --> OK

The problem is, that at the moment everybody can login to SRV1 and can
send mails to my domains without authentication
(see (2)).

If I enable authentication, (2) is working fine, but then also other
SMTP servers are forced to authenticate... But they don't have the
credentials for my server and so the mail server does not accept any
mails from outside...

What I want is:
- Enable authentication for mail clients when sending mails using SRV1
whose destination is also SRV1 (local mails)
- Disable authentication for all SMTP servers which want to deliver
mails from other domains.

That sounds sensible, doesn't it?
Does anybody know if that is possible?
If so, how can that be done?

Best regards,
Thomas
Reply | Threaded
Open this post in threaded view
|

Re: relaying and authentication

Steven King-6
Sounds like is what you want to do is allow relaying for subnets or
hosts and specify the specific host that can relay and not make it log
in to do the relaying.

Thomas Schachtner wrote:

> Hi there,
>
> I have a problem with my postfix mail server.
> I am sure that there are THOUSANDS of pages where this problem is
> addressed and also solved, as this seems to be a problem which many
> people might have.
> Unfortunately I did not find a solution for the problem as it is too
> difficult (for me) to explain the matter within a google search-string.
>
> My problem is as follows:
>
> (in order to make it easier to understand, I included an ASCII
> graphics picture - maybe it helps)
>
> +-----+   +------+        +------+
> I     I   I      I        I      I
> I CLI I---I SRV1 I--INET--I SRV2 I
> I     I   I      I        I      I
> +-----+   +------+        +------+
>
> I have a server (SRV1) with some clients (CLI).
> These clients send emails through SRV1.
> The mails are either delivered locally (if the destination domain is
> also hosted on SRV1) or they are forwarded to another mail server
> (SRV2) which then delivers the mail to its inboxes (relaying).
>
> SRV1 shall also receive mails. These mails may come from a client
> (CLI) or from another server (SRV2). (The clients may be anywhere in
> the internet. They are not on the same subnet)
>
> In order to secure this environment, I want to use SMTP-AUTH.
> But this does not work as I wanted it to...
>
> Here are the different scenarios:
>
> (1) CLI wants to send mails to SRV2 and use SRV1 as relay
> -->  AUTH needed --> OK
>
> (2) CLI wants so send mails to another user (only SRV1 involved)
> --> no AUTH needed --> that's not what I want AUTH shall be on!
>
> (3) SRV2 acts as relay and wants to forward mails to SRV1 as their
> destination address is managed by SRV1
> --> no AUTH needed --> OK
>
> The problem is, that at the moment everybody can login to SRV1 and can
> send mails to my domains without authentication
> (see (2)).
>
> If I enable authentication, (2) is working fine, but then also other
> SMTP servers are forced to authenticate... But they don't have the
> credentials for my server and so the mail server does not accept any
> mails from outside...
>
> What I want is:
> - Enable authentication for mail clients when sending mails using SRV1
> whose destination is also SRV1 (local mails)
> - Disable authentication for all SMTP servers which want to deliver
> mails from other domains.
>
> That sounds sensible, doesn't it?
> Does anybody know if that is possible?
> If so, how can that be done?
>
> Best regards,
> Thomas
Reply | Threaded
Open this post in threaded view
|

Re: relaying and authentication

mouss-2
In reply to this post by Thomas Schachtner
Thomas Schachtner wrote:

> Hi there,
>
> I have a problem with my postfix mail server.
> I am sure that there are THOUSANDS of pages where this problem is
> addressed and also solved, as this seems to be a problem which many
> people might have.
> Unfortunately I did not find a solution for the problem as it is too
> difficult (for me) to explain the matter within a google search-string.
>
> My problem is as follows:
>
> (in order to make it easier to understand, I included an ASCII
> graphics picture - maybe it helps)
>
> +-----+   +------+        +------+
> I     I   I      I        I      I
> I CLI I---I SRV1 I--INET--I SRV2 I
> I     I   I      I        I      I
> +-----+   +------+        +------+
>
> I have a server (SRV1) with some clients (CLI).
> These clients send emails through SRV1.
> The mails are either delivered locally (if the destination domain is
> also hosted on SRV1) or they are forwarded to another mail server
> (SRV2) which then delivers the mail to its inboxes (relaying).
>
> SRV1 shall also receive mails. These mails may come from a client
> (CLI) or from another server (SRV2). (The clients may be anywhere in
> the internet. They are not on the same subnet)
>
> In order to secure this environment, I want to use SMTP-AUTH.
> But this does not work as I wanted it to...
>
> Here are the different scenarios:
>
> (1) CLI wants to send mails to SRV2 and use SRV1 as relay
> -->  AUTH needed --> OK
>
> (2) CLI wants so send mails to another user (only SRV1 involved)
> --> no AUTH needed --> that's not what I want AUTH shall be on!
>
> (3) SRV2 acts as relay and wants to forward mails to SRV1 as their
> destination address is managed by SRV1
> --> no AUTH needed --> OK
>
> The problem is, that at the moment everybody can login to SRV1 and can
> send mails to my domains without authentication
> (see (2)).
>
> If I enable authentication, (2) is working fine, but then also other
> SMTP servers are forced to authenticate... But they don't have the
> credentials for my server and so the mail server does not accept any
> mails from outside...
>
> What I want is:
> - Enable authentication for mail clients when sending mails using SRV1
> whose destination is also SRV1 (local mails)
> - Disable authentication for all SMTP servers which want to deliver
> mails from other domains.
>
> That sounds sensible, doesn't it?
> Does anybody know if that is possible?
> If so, how can that be done?


First, you should not require authentication from anybody when the
recipient is one of your domains (a domain for which you are an MX)...

You can require autentication based on client or sender. you can even
require sender-login match.

to require authentication, it's as easy as
    permit_sasl_authentication, reject
put in the right place. for example, to require that any sender
@example.com authenticates, just use

smtpd_sender_restrictions =
    check_sender_access hash:/etc/postfix/sender_acl

== sender_acl:
example.com   permit_sasl_authentication, reject

to require sender-login match, use smtpd_sender_login_maps with one of
the reject_*_sender_login_mismatch actions.

for example:

== sender_acl:
example.com   permit_mynetworks, reject_sender_login_mismatch,
permit_sasl_authenticated _reject

use your imagination (and the docs) to setup the variations that better
suit you. if something is unclear, just ask. but then you need to post
your configuration ('postconf -n' output) and any relevant logs if
appropriate (if something doesn't work as you think it should).





Reply | Threaded
Open this post in threaded view
|

Re: relaying and authentication

Thomas Schachtner
In reply to this post by Steven King-6
Well,
yes and no.

It's true. I want to allow relaying for anybody who is successfully
logged on to the system.
But the clients can connect from anywhere. Most of them use dial-up
connections and have a different IP address on each connect.
So, the only way to make sure they are allowed to send is to have them
authenticated by user name and password.
In addition to that, not only relaying shall be restricted to
authenticated users. Also local mails (i. e. both sender domain and
recipient domain are hosted by my mail server) shall only be allowed for
authenticated users.

But on the other hand, other SMTP servers shall be allowed to deliver
mails to my server. And once I activate authentication for all
connections, they cannot connect anymore...
The reason is clear: They don't have credentials for my server. (They
will never have... Virtually every SMTP server out in the world could
want to connect to my server and deliver mails - and it should be
allowed. So enabling SMTP auth for these server does not make sense. But
for clients connecting to my server it does...)
But: How to distinguish between
- a mail server delivering a mail whose final destination is on my
server and
- a person loggin in to my mail server and sending (spam) mails to
domains hosted by my server?


Steven King wrote:

> Sounds like is what you want to do is allow relaying for subnets or
> hosts and specify the specific host that can relay and not make it log
> in to do the relaying.
>
> Thomas Schachtner wrote:
>  
>> Hi there,
>>
>> I have a problem with my postfix mail server.
>> I am sure that there are THOUSANDS of pages where this problem is
>> addressed and also solved, as this seems to be a problem which many
>> people might have.
>> Unfortunately I did not find a solution for the problem as it is too
>> difficult (for me) to explain the matter within a google search-string.
>>
>> My problem is as follows:
>>
>> (in order to make it easier to understand, I included an ASCII
>> graphics picture - maybe it helps)
>>
>> +-----+   +------+        +------+
>> I     I   I      I        I      I
>> I CLI I---I SRV1 I--INET--I SRV2 I
>> I     I   I      I        I      I
>> +-----+   +------+        +------+
>>
>> I have a server (SRV1) with some clients (CLI).
>> These clients send emails through SRV1.
>> The mails are either delivered locally (if the destination domain is
>> also hosted on SRV1) or they are forwarded to another mail server
>> (SRV2) which then delivers the mail to its inboxes (relaying).
>>
>> SRV1 shall also receive mails. These mails may come from a client
>> (CLI) or from another server (SRV2). (The clients may be anywhere in
>> the internet. They are not on the same subnet)
>>
>> In order to secure this environment, I want to use SMTP-AUTH.
>> But this does not work as I wanted it to...
>>
>> Here are the different scenarios:
>>
>> (1) CLI wants to send mails to SRV2 and use SRV1 as relay
>> -->  AUTH needed --> OK
>>
>> (2) CLI wants so send mails to another user (only SRV1 involved)
>> --> no AUTH needed --> that's not what I want AUTH shall be on!
>>
>> (3) SRV2 acts as relay and wants to forward mails to SRV1 as their
>> destination address is managed by SRV1
>> --> no AUTH needed --> OK
>>
>> The problem is, that at the moment everybody can login to SRV1 and can
>> send mails to my domains without authentication
>> (see (2)).
>>
>> If I enable authentication, (2) is working fine, but then also other
>> SMTP servers are forced to authenticate... But they don't have the
>> credentials for my server and so the mail server does not accept any
>> mails from outside...
>>
>> What I want is:
>> - Enable authentication for mail clients when sending mails using SRV1
>> whose destination is also SRV1 (local mails)
>> - Disable authentication for all SMTP servers which want to deliver
>> mails from other domains.
>>
>> That sounds sensible, doesn't it?
>> Does anybody know if that is possible?
>> If so, how can that be done?
>>
>> Best regards,
>> Thomas
>>    
>
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: relaying and authentication

Noel Jones-2
Thomas Schachtner wrote:

> Well,
> yes and no.
>
> It's true. I want to allow relaying for anybody who is successfully
> logged on to the system.
> But the clients can connect from anywhere. Most of them use dial-up
> connections and have a different IP address on each connect.
> So, the only way to make sure they are allowed to send is to have them
> authenticated by user name and password.
> In addition to that, not only relaying shall be restricted to
> authenticated users. Also local mails (i. e. both sender domain and
> recipient domain are hosted by my mail server) shall only be allowed for
> authenticated users.
>
> But on the other hand, other SMTP servers shall be allowed to deliver
> mails to my server. And once I activate authentication for all
> connections, they cannot connect anymore...
> The reason is clear: They don't have credentials for my server. (They
> will never have... Virtually every SMTP server out in the world could
> want to connect to my server and deliver mails - and it should be
> allowed. So enabling SMTP auth for these server does not make sense. But
> for clients connecting to my server it does...)
> But: How to distinguish between
> - a mail server delivering a mail whose final destination is on my
> server and
> - a person loggin in to my mail server and sending (spam) mails to
> domains hosted by my server?
>

Yes, the age-old question of "how do I require my own user to
authenticate, but not the whole world?"

The best (but not perfect) solution is to offer AUTH (maybe
only after TLS) only on the submission port 587 and not offer
AUTH at all on the standard port 25.
main.cf:
smtpd_sasl_auth_enable = no

master.cf:
submission ... smtpd
   -o smtpd_sasl_auth_enable=yes
# next line is optional to require TLS before AUTH
   -o smtpd_tls_auth_only=yes
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
   ... other stuff that should apply only to auth users ...

This forces your users to configure their mail client to use
587 and AUTH if they want to be able to send mail to the rest
of the world.

You could also reject your own domain as sender on port 25,
but that breaks some auto-responders, web invites, and such.

If you're concerned about your own users spamming, you might
also look at using policyd and/or amavisd-new + SpamAssassin +
clamav


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: relaying and authentication

Steven King-6
I require auth for everyone sending mail through the server that the
destination domain is not handled by my server.

Since you have a mail gateway in some circumstances you will want to
setup the mynetworks = variable so that Postfix will trust "allow relay"
through the hosts that you specify here such as

mynetworks = localhost, x.x.x.x

This will allow you to create a list of hosts that are allowed to relay
through the server not requiring auth. As long as you set up the
mydestination variables correctly if the mail coming from the rest of
the world is not destined for this machine, it will require
authentication before it will be relayed.

Noel Jones wrote:

> Thomas Schachtner wrote:
>> Well,
>> yes and no.
>>
>> It's true. I want to allow relaying for anybody who is successfully
>> logged on to the system.
>> But the clients can connect from anywhere. Most of them use dial-up
>> connections and have a different IP address on each connect.
>> So, the only way to make sure they are allowed to send is to have
>> them authenticated by user name and password.
>> In addition to that, not only relaying shall be restricted to
>> authenticated users. Also local mails (i. e. both sender domain and
>> recipient domain are hosted by my mail server) shall only be allowed
>> for authenticated users.
>>
>> But on the other hand, other SMTP servers shall be allowed to deliver
>> mails to my server. And once I activate authentication for all
>> connections, they cannot connect anymore...
>> The reason is clear: They don't have credentials for my server. (They
>> will never have... Virtually every SMTP server out in the world could
>> want to connect to my server and deliver mails - and it should be
>> allowed. So enabling SMTP auth for these server does not make sense.
>> But for clients connecting to my server it does...)
>> But: How to distinguish between
>> - a mail server delivering a mail whose final destination is on my
>> server and
>> - a person loggin in to my mail server and sending (spam) mails to
>> domains hosted by my server?
>>
>
> Yes, the age-old question of "how do I require my own user to
> authenticate, but not the whole world?"
>
> The best (but not perfect) solution is to offer AUTH (maybe only after
> TLS) only on the submission port 587 and not offer AUTH at all on the
> standard port 25.
> main.cf:
> smtpd_sasl_auth_enable = no
>
> master.cf:
> submission ... smtpd
>   -o smtpd_sasl_auth_enable=yes
> # next line is optional to require TLS before AUTH
>   -o smtpd_tls_auth_only=yes
>   -o smtpd_client_restrictions=
>   -o smtpd_helo_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   ... other stuff that should apply only to auth users ...
>
> This forces your users to configure their mail client to use 587 and
> AUTH if they want to be able to send mail to the rest of the world.
>
> You could also reject your own domain as sender on port 25, but that
> breaks some auto-responders, web invites, and such.
>
> If you're concerned about your own users spamming, you might also look
> at using policyd and/or amavisd-new + SpamAssassin + clamav
>
>