Chris Babcock wrote, at 01/08/2009 03:19 AM:
> On Wed, 7 Jan 2009 21:10:57 -0800
> Jeff Weinberger <j...@jweinberger.homeip.net> wrote:
>
>> 1) using the controls in postfix, is it possible to prevent
>> authenticated
>> users from using port 25 to submit mail? Is there a construct that
>> would do
>> that without interfering with incoming mail from anywhere?
>
> Your smtpd_recipient_restrictions... Right now they're probably the same
> for the smptd daemons listening on ports 25 and 587 and they include
> one or more "permit_*" directives, probably "permit_mynetworks" and
> "permit_sasl_authenticated". You'll remove those permit_* restrictions,
> except possibly "permit_mynetworks" from main.cf and replace them with
> an override ("-o" switch) on the submission service in master.cf.
>
> submission inet n - n - - smtpd
> -o smtpd_enforce_tls=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
Better to uncomment the default submission settings in your master.cf
and work from that, if needed. In recent versions of Postfix, this is:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Before editing the settings provided with your version of Postfix,
please take time to understand what you are doing. The defaults are very
sane, and rarely need adjusting.
>> 2) even if it's possible, it is advisable (I know no one is shy about
>> offering opinions here, and I hope if you have one, you'll voice
>> it :) )?
>
> It's an extension of a great security model, but one of the things that
> makes that model work is that it has been made easy to implement. It's
> possible to break things like scripts that need to send mail off the
> server with a fairly insignificant gain in security. It's not hard to
> do, but you do need to know the system well to do it because it's at
> least 2 steps off from any of the documented deployment recipes.
>
> I'd do it for a small hobby server like mine just because it's my idea
> of a good time. I'd also do it for corporate situations where
> "mynetworks" includes machines that aren't in a room with a lock on the
> door, but not if it meant reconfiguring every PHP app and shell script
> that sends mail out of the company to authenticate itself.
This isn't necessarily a bad thing. I've found that applications and
devices with poor SMTP support deserve a security audit that often
reveals other weaknesses. If they're not immediately fixable, it's
useful to isolate them on a separate and secure relay while waiting for
them to be upgraded or replaced.
