stopping anonymous smtp login (dovecot)

Hi, I'm setting up a mail server with dovecot-1.0.13 and
postfix-2.5.1 on freebsd 7.0.  I'm a newbie to postfix, I almost
have it running but have two questions:

I'm using dovecot auth-client for sasl authentication.  I want it to
reject mail from anonymous logins, but this isn't working.
"postconf -a" says "dovecot"

In main.cf I have:
smtpd_sasl_path=/var/run/dovecot/auth-client
smtpd_sasl_type=dovecot

auth-client is rw by group postfix.

The sasl_security options are the defaults from main.cf.default:
lmtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_security_options = noanonymous

I'm testing this in a local network, so I temporarily removed
"permit_mynetworks" from smtpd_sender_restrictions and
smtpd_recipient_restrictions, so that they read:
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destinati
on

But it still accepts anonymous logins:
postfix/smtpd[29015]: Anonymous TLS connection established
and the delivery goes through.

The other question I had was regarding where to specify the dovecot delivery
agent to postfix.  There seem to be two ways:
in main.cf:
mailbox_command=/usr/local/libexec/dovecot/deliver
or in master.cf:
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=root:mail argv=/usr/local/libexec/dovecot/deliver -d ${recipient}

Could someone tell me the difference(s) ?

Many thanks for any help!!!
Rich

Rich Winkel:
> Hi, I'm setting up a mail server with dovecot-1.0.13 and
> postfix-2.5.1 on freebsd 7.0.  I'm a newbie to postfix, I almost
> have it running but have two questions:
>
> I'm using dovecot auth-client for sasl authentication.  I want it to
> reject mail from anonymous logins, but this isn't working.

This requires Postfix 2.5.2.

        Wietse

Wietse Venema:
> Rich Winkel:
> > Hi, I'm setting up a mail server with dovecot-1.0.13 and
> > postfix-2.5.1 on freebsd 7.0.  I'm a newbie to postfix, I almost
> > have it running but have two questions:
> >
> > I'm using dovecot auth-client for sasl authentication.  I want it to
> > reject mail from anonymous logins, but this isn't working.
>
> This requires Postfix 2.5.2.

In addition, it is a good idea to configure Dovecot as per
SASL_README, and NOT allow it to support anomymous logins.

        Wietse

Rich Winkel wrote:
> Hi, I'm setting up a mail server with dovecot-1.0.13 and
> postfix-2.5.1 on freebsd 7.0.  I'm a newbie to postfix, I almost
> have it running but have two questions:
>
> I'm using dovecot auth-client for sasl authentication.  I want it to
> reject mail from anonymous logins, but this isn't working.
> "postconf -a" says "dovecot"

OK, that's correct.

The above two have no effect on dovecot (client side SASL not
implemented).

> smtpd_sasl_security_options = noanonymous

OK.

>
> I'm testing this in a local network, so I temporarily removed
> "permit_mynetworks" from smtpd_sender_restrictions and
> smtpd_recipient_restrictions, so that they read:
> smtpd_sender_restrictions = permit_sasl_authenticated

Each smtpd_*_restrictions section ends with an implied
"permit", so the above has no effect; all clients are
accepted.  That's OK.

> smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destinati
> on

OK, SASL authenticated clients are allowed to relay off-site,
anyone else can send mail to your local/virtual/relay domains.

>
> But it still accepts anonymous logins:
> postfix/smtpd[29015]: Anonymous TLS connection established
> and the delivery goes through.

Hold on a minute...  Anonymous TLS connection does *not* imply
anonymous SASL authentication.   Anonymous TLS is normal and
expected; it just says your client doesn't have it's own
security certificate.

You'll need to show more evidence that dovecot is accepting an
anonymous login...
http://www.postfix.org/DEBUG_README.html#mail

If the recipient is in your own domain the message will still
be accepted from any client, authenticated or not.  To only
accept mail from authenticated clients, you need
smtpd_recipient_restrictions =
   permit_sasa_authenticated
   reject

Of course this is only suitable for testing, or on a MSA such
as the submission port 587, since it won't accept mail from
anyone else.


See the MAILDROP_README.  The interface to postfix is the same
with both, so most of it applies directly to using any
alternate delivery agent.

http://www.postfix.org/MAILDROP_README.html


>
> Many thanks for any help!!!
> Rich

Enjoy!

--
Noel Jones

On Thu, Jul 24, 2008 at 11:00:32PM -0500, Noel Jones wrote:

> >But it still accepts anonymous logins:
> >postfix/smtpd[29015]: Anonymous TLS connection established
> >and the delivery goes through.
>
> Hold on a minute...  Anonymous TLS connection does *not* imply
> anonymous SASL authentication.   Anonymous TLS is normal and
> expected; it just says your client doesn't have it's own
> security certificate.

More specifically, the cipher-suite selected by the client and server
does not make use of any certificates. The client was not interested
in authenticating the server, offered anonymous TLS ciphers, and the
server accepted this. Nothing wrong with this.

$ openssl ciphers -v 'ALL+aNULL:!EXPORT:@STRENGTH'
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1

The most frequently used cipher in this context with OpenSSL 0.9.[78]
is ADH-AES256-SHA.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni wrote:
well, the important point is that "Anonymous TLS connection
established" has nothing at all to do with the sasl login
method...

Rich, in your logs, look for lines similar to:
Jul 24 23:00:35 mgate2 postfix/smtpd[71550]: 77EB4797884:
client=unknown[10.15.2.21], sasl_method=PLAIN,
sasl_username=michael

As long as the sasl_method is PLAIN, LOGIN, ... anything but
"anonymous", you're OK.

--
Noel Jones