Quantcast

removing SASL Authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

removing SASL Authentication

Jon LaBadie
When I first set up my home mail server I mashed several "postfix
recipies" to get my working system. Not knowing why, this line
made it into main.cf.

  smtpd_relay_restrictions = \
    permit_mynetworks, permit_sasl_authenticated

I have no need to relay mail from anywhere except my own network
and I don't authenticate for that. I do get 500-1000 daily attempts
to relay but because I never set up an SASL Authentication Server,
none can ever authenticate.

I'd like to get rid of the "permit_sasl_authenticated" setting,
perhaps rejecting relay attempts earlier. But I'm hesitant that
I may be creating a relay server due to other settings.

Another current setting that may be pertinent is

  smtpd_sender_restrictions = permit_mynetworks \
    reject_non_fqdn_sender reject_unknown_sender_domain

Suggestions or advice on getting rid of the SASL settings, still
allowing relay from my private network, yet not an open relay?

Thanks, Jon

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: removing SASL Authentication

Igor Golubkov
Just use smtpd_relay_restrictions = permit_mynetworks, reject
But changing this setting will not remove all those bots trying to authenticate on your server.

сб, 4 марта 2017 г., 23:57 Jon LaBadie <[hidden email]>:
When I first set up my home mail server I mashed several "postfix
recipies" to get my working system. Not knowing why, this line
made it into main.cf.

  smtpd_relay_restrictions = \
    permit_mynetworks, permit_sasl_authenticated

I have no need to relay mail from anywhere except my own network
and I don't authenticate for that. I do get 500-1000 daily attempts
to relay but because I never set up an SASL Authentication Server,
none can ever authenticate.

I'd like to get rid of the "permit_sasl_authenticated" setting,
perhaps rejecting relay attempts earlier. But I'm hesitant that
I may be creating a relay server due to other settings.

Another current setting that may be pertinent is

  smtpd_sender_restrictions = permit_mynetworks \
    reject_non_fqdn_sender reject_unknown_sender_domain

Suggestions or advice on getting rid of the SASL settings, still
allowing relay from my private network, yet not an open relay?

Thanks, Jon

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: removing SASL Authentication

/dev/rob0
On Sat, Mar 04, 2017 at 09:27:43PM +0000, Igor Golubkov wrote:
> Just use smtpd_relay_restrictions = permit_mynetworks, reject

This *might* be acceptable for the OP, but note that it is applied to
all mail, and therefore nothing outside of mynetworks would ever be
accepted.

This is DEFINITELY wrong for a server acting as a MX, hosting mail
for an Internet domain name.

> But changing this setting will not remove all those bots trying to
> authenticate on your server.
>
> сб, 4 марта 2017 г., 23:57 Jon LaBadie <[hidden email]>:
>
> > When I first set up my home mail server I mashed several "postfix
> > recipies" to get my working system. Not knowing why, this line
> > made it into main.cf.
> >
> >   smtpd_relay_restrictions = \

The leading whitespace is what tells Postfix you are intending to
continue a logical line on the following actual line.

> >     permit_mynetworks, permit_sasl_authenticated

This won't work either, because a restriction such as "reject" or
"reject_unauth_destination" is required to prevent open relay.

> > I have no need to relay mail from anywhere except my own
> > network and I don't authenticate for that.

Still, requiring AUTH is a good idea.

> > I do get 500-1000 daily attempts to relay but because I never
> > set up an SASL Authentication Server, none can ever
> > authenticate.

So it looks like you ARE a MX host, since you are getting these
connections from the outside.  Best practice is:

main.cf :
...
smtpd_relay_restrictions = reject_unauth_destination
mua_relay_restrictions = permit_mynetworks,
    permit_sasl_authenticated, reject_unauth_destination

This closes off relaying on port 25.  Then uncomment "submission"
service in master.cf, and have a line like this under it:

    -o smtpd_relay_restrictions=$mua_relay_restrictions

The benefit is that you completely separate your MX stream from
users' submitted mail.  This is advantageous for spam control and
filtering.  And then of course your users would have to submit mail
on port 587.

If you're not going to allow roaming users to submit, you could
simply block port 587 in the firewall.

> > I'd like to get rid of the "permit_sasl_authenticated" setting,
> > perhaps rejecting relay attempts earlier. But I'm hesitant that
> > I may be creating a relay server due to other settings.
> >
> > Another current setting that may be pertinent is
> >
> >   smtpd_sender_restrictions = permit_mynetworks \
> >     reject_non_fqdn_sender reject_unknown_sender_domain
> >
> > Suggestions or advice on getting rid of the SASL settings,
> > still allowing relay from my private network, yet not an open
> > relay?

I suggest:
    http://www.postfix.org/SMTPD_ACCESS_README.html
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Loading...