setting up TLS and SMTP-AUTH on port 587

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

setting up TLS and SMTP-AUTH on port 587

Juan Miscaro-2
I had STARTTLS working for port 25 for many months with no problem.  I
am using amavisd-new/spamassassin as content filter.  But now, due to
port blocking, I need to set this up on port 587 so I can send mail
directly to my server with my mail client (thunderbird).

I made a change to master.cf by duplicating what I had for port 25 and
added tls and smtp-auth:


# Step 1a - Listens on port 25 for incoming internet connections from MTAs
#          and hands off mail to content filter listening on port 10024
25      inet  n       -       n       -       4       smtpd
         -o content_filter=smtp-amavis:[127.0.0.1]:10024
         -o receive_override_options=no_address_mappings

#       OR

# Step 1b - Listens on port 587 for incoming internet connections from MUAs
#          and hands off mail to content filter listening on port 10024
587      inet  n       -       n       -       2       smtpd
         -o smtpd_tls_security_level=encrypt
         -o smtpd_sasl_auth_enable=yes
         -o content_filter=smtp-amavis:[127.0.0.1]:10024
         -o receive_override_options=no_address_mappings


Yet when I telnet from localhost Postfix is not offering any services:

$ telnet localhost 587
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP
helo localhost
250 mail.example.com
quit
221 2.0.0 Bye
Connection closed by foreign host.


Here is my current configuration:

$ postconf -n

alias_database = /etc/postfix/aliases
biff = no
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
config_directory = /etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/run/postfix
debug_peer_level = 2
disable_vrfy_command = yes
empty_address_recipient = MAILER-DAEMON
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix/html
inet_interfaces = 72.0.200.123            192.168.3.101           127.0.0.1
mail_owner = _postfix
mailbox_size_limit = 1000000000
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
message_size_limit = 80000000
mydestination = localhost, numinone.example.com
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 192.168.1.0/24 192.168.3.0/24
myorigin = numinone.example.com
newaliases_path = /usr/local/sbin/newaliases
notify_classes = resource,software
queue_directory = /var/spool/postfix
queue_minfree = 120000000
readme_directory = /usr/local/share/doc/postfix/readme
relay_domains = mysql:/etc/postfix/sql/relay_domains.cf
relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipients.cf
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_multi_recipient_bounce
reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated        reject_unauth_destination
 reject_non_fqdn_sender          reject_non_fqdn_recipient
  reject_unknown_sender_domain            check_helo_access
regexp:/etc/postfix/helo_checks               check_sender_mx_access
cidr:/etc/postfix/bogus_mx               check_sender_access
hash:/etc/postfix/check_backscatterer               reject_rbl_client
zen.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/ssl/certs/mail.example.com.crt
smtpd_tls_key_file = /usr/local/etc/ssl/certs/mail.example.com_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/sql/transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/sql/virtual_alias_maps.cf
virtual_gid_maps = mysql:/etc/postfix/sql/virtual_gid_maps.cf
virtual_mailbox_base = /var/spool/virtual_mailboxes
virtual_mailbox_domains = mysql:/etc/postfix/sql/virtual_mailbox_domains.cf
virtual_mailbox_limit = 80000000
virtual_mailbox_maps = mysql:/etc/postfix/sql/virtual_mailbox_recipients.cf
virtual_transport = maildrop
virtual_uid_maps = mysql:/etc/postfix/sql/virtual_uid_maps.cf


Thanks for any help.

--
/jm
Reply | Threaded
Open this post in threaded view
|

Re: setting up TLS and SMTP-AUTH on port 587

Brian Evans - Postfix List
Juan Miscaro wrote:

> I had STARTTLS working for port 25 for many months with no problem.  I
> am using amavisd-new/spamassassin as content filter.  But now, due to
> port blocking, I need to set this up on port 587 so I can send mail
> directly to my server with my mail client (thunderbird).
>
> I made a change to master.cf by duplicating what I had for port 25 and
> added tls and smtp-auth:
>
> # Step 1b - Listens on port 587 for incoming internet connections from MUAs
> #          and hands off mail to content filter listening on port 10024
> 587      inet  n       -       n       -       2       smtpd
>          -o smtpd_tls_security_level=encrypt
>          -o smtpd_sasl_auth_enable=yes
>          -o content_filter=smtp-amavis:[127.0.0.1]:10024
>          -o receive_override_options=no_address_mappings
>
>
> Yet when I telnet from localhost Postfix is not offering any services:
>
> $ telnet localhost 587
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.example.com ESMTP
> helo localhost
>  

Unless you send "EHLO localhost", you will never see it.

> 250 mail.example.com
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
>
> Here is my current configuration:
>
> $ postconf -n
>
> smtpd_tls_security_level = encrypt
>  
You want to block all smtpd's if they don't use TLS??
This is only recommended on a submission port.
Otherwise, it can/will block normal internet mail.

Suggested main.cf setting is "smtpd_tls_security_level = may", then
override in master.cf if needed.

Brian

Reply | Threaded
Open this post in threaded view
|

Re: setting up TLS and SMTP-AUTH on port 587

Noel Jones-2
In reply to this post by Juan Miscaro-2
Juan Miscaro wrote:
> I had STARTTLS working for port 25 for many months with no problem.  I
> am using amavisd-new/spamassassin as content filter.  But now, due to
> port blocking, I need to set this up on port 587 so I can send mail
> directly to my server with my mail client (thunderbird).
...

> Yet when I telnet from localhost Postfix is not offering any services:
>
> $ telnet localhost 587
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.example.com ESMTP
> helo localhost
> 250 mail.example.com
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.

must test with
ehlo hostname
NOT
helo hostname

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: setting up TLS and SMTP-AUTH on port 587

Juan Miscaro-2
In reply to this post by Brian Evans - Postfix List
2009/7/16 Brian Evans - Postfix List <[hidden email]>:

> Juan Miscaro wrote:
>> I had STARTTLS working for port 25 for many months with no problem.  I
>> am using amavisd-new/spamassassin as content filter.  But now, due to
>> port blocking, I need to set this up on port 587 so I can send mail
>> directly to my server with my mail client (thunderbird).
>>
>> I made a change to master.cf by duplicating what I had for port 25 and
>> added tls and smtp-auth:
>>
>> # Step 1b - Listens on port 587 for incoming internet connections from MUAs
>> #          and hands off mail to content filter listening on port 10024
>> 587      inet  n       -       n       -       2       smtpd
>>          -o smtpd_tls_security_level=encrypt
>>          -o smtpd_sasl_auth_enable=yes
>>          -o content_filter=smtp-amavis:[127.0.0.1]:10024
>>          -o receive_override_options=no_address_mappings
>>
>>
>> Yet when I telnet from localhost Postfix is not offering any services:
>>
>> $ telnet localhost 587
>> Trying ::1...
>> telnet: connect to address ::1: Connection refused
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 mail.example.com ESMTP
>> helo localhost
>>
>
> Unless you send "EHLO localhost", you will never see it.
>
>> 250 mail.example.com
>> quit
>> 221 2.0.0 Bye
>> Connection closed by foreign host.
>>
>>
>> Here is my current configuration:
>>
>> $ postconf -n
>>
>> smtpd_tls_security_level = encrypt
>>
> You want to block all smtpd's if they don't use TLS??
> This is only recommended on a submission port.
> Otherwise, it can/will block normal internet mail.
>
> Suggested main.cf setting is "smtpd_tls_security_level = may", then
> override in master.cf if needed.
>
> Brian
>
>

Argh!

Thanks guys (re ehlo vs helo).  And, Brian, thanks for the second tip
(encrypt vs may).


--
/jm