On 2023-12-13 at 04:27:24 UTC-0500 (Wed, 13 Dec 2023 20:27:24 +1100)
lists--- via Postfix-users <li...@sbt.net.au>
is rumored to have said:
I have a user with an 'old' printer/scanner who wants to scan/email
scans
from the home located device
printer offers:
machine email address:
SMTP server:
SMTP server port:
send authentication: PoPb4SMTP/SMTP AUTH: Plain/Login/CRAM-MD5/Auto
login name:
passwd:
I would also expect a session encryption option for using TLS on the
connection, which may be labeled as SSL because it is old.
If your printer has no such option, I'd junk it.
tried 587 with each of the 4 AUTH options, keeps failing
added printer IP to mynetworks, changed to port 25, working
any suggestion what it might need to use port 587 / AUTH ?
Correct daemon configuration. That is site-specific and you've not
included your configuration, so any suggestion would be a pure guess.
postconf -nf
postconf -Mf
Thew fix is probably in master.cf, where you should have something
*similar* to this for port 587:
submission inet n - n - - smtpd
-o syslog_name=postfix/submit
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
any undesired side effects of allowing printer IP in main.cf
mynetworks ?
*Assuming* that you have 'permit_my_networks' in your
smtpd.*restrictions lists, anything on your network that could grab that
IP could spam at will through your MTA.
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: connect from
111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: lost connection
after EHLO from 111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 commands=1
Dec 13 17:47:20 geko postfix/submission/smtpd[15098]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 commands=1
Those both indicate that the device at the impossible IP connected,
provided an acceptable EHLO command, and unceremoniously dropped the
connection.
Dec 13 17:48:12 geko postfix/anvil[15001]: statistics: max connection
rate
6/3600s for (submission:111.222.333.444) at Dec 13 17:47:20
Irrelevant
Dec 13 17:48:26 geko postfix/postscreen[14984]: CONNECT from
[111.222.333.444]:50694 to [103.106.168.106]:25
Dec 13 17:48:26 geko postfix/postscreen[14984]: WHITELISTED
[111.222.333.444]:50694
Dec 13 17:48:26 geko postfix/smtpd[15061]: connect from
111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:48:26 geko postfix/smtpd[15061]: CB67D20BBA9:
client=111-222-333-444.tpgi.com.au[111.222.333.444],
sasl_method=LOGIN,
sasl_username=u...@tld.com.au
Dec 13 17:48:30 geko amavis[15129]: (15129-15) Checking: P4rpqg2X2xgz
[111.222.333.444] <print-in...@tld.com.au> -> <u...@tld.com.au>
Dec 13 17:48:31 geko postfix/smtpd[15061]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 auth=1 mail=1
rcpt=1
data=1 quit=1 commands=6
You seem to have the classical Amavis config, using it as a SMTP proxy.
And it seems to basically work.
Dec 13 17:48:31 geko amavis[15129]: (15129-15) Passed CLEAN
{RelayedInbound}, [111.222.333.444]:50694 [111.222.333.444]
ESMTP/ESMTP
<print-in...@tld.com.au> -> <u...@tld.com.au>,
(ESMTPA://[111.222.333.444]:50694), Queue-ID: CB67D20BBA9, mail_id:
P4rpqg2X2xgz, b: cNaGQKTr-, Hits: 0.436, size: 525554, queued_as:
C064E20A5CB, Subject: "ScanFrom Printer (raw:
=?utf-8?B?U2NhbkZy2NhbkZyb20gW50ZXI=?=)", From:
<print-in...@tld.com.au>,
helo=iptarget, Tests:
[ALL_TRUSTED=-1,BAYES_00=-1.9,DATE_IN_PAST_06_12=1.543,DKIM_INVALID=0.1,DKIM_SIGNED=0.1,INVALID_DATE=1.096,MISSING_MID=0.497],
autolearn=no autolearn_force=no, autolearnscore=1.875, 1715 ms
And there is Amavis (using SpamAssassin) giving it the thumbs up.
The command summary above from smtpd as it closed the session indicates
that you have a working authentication system set up to work on port 25
(where it isn't useful) but for some reason the printer never bothers
trying. It receives something in the EHLO response that tells it that it
cannot send...
I made a guess based on your mail's transit path and found the issue, I
THINK. This is a manual SMTP check of what geko is saying on those 2
ports:
shiny:~ root# telnet geko.sbt.net.au 587
Trying 103.106.168.106...
Connected to geko.sbt.net.au.
Escape character is '^]'.
220 geko.sbt.net.au ESMTP Postfix
EHLO dynnat.scconsult.com
250-geko.sbt.net.au
250-PIPELINING
250-SIZE 30971520
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.
No AUTH offered. Which is fine, because one should not offer AUTH over
an unencrypted session. However, your printer saw that and instead of
using STARTTLS, it hung up. That's bad. It should have used STARTTLS to
get a useful session.
shiny:~ root# telnet geko.sbt.net.au 25
Trying 103.106.168.106...
Connected to geko.sbt.net.au.
Escape character is '^]'.
220-geko.sbt.net.au ESMTP Postfix
220 geko.sbt.net.au ESMTP Postfix
EHLO dynnat.scconsult.com
250-geko.sbt.net.au
250-PIPELINING
250-SIZE 30971520
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.
There's why port 25 worked: you have AUTH enabled on port 25 without
encryption. Even worse, you only advertise plaintext SASL mechanisms, so
your printer's password was sent in the clear to authenticate.
So my GUESS at PART of your fix is to remove smtpd_sasl_auth_enable=yes
from your main.cf, add it as an override in master.cf for submission (as
above,) and tell your printer to use TLS. If you cannot use TLS, you
should either get a modern printer or don't ask your printer to email
you. You certainly COULD work around that by compromising the security
of your MTA, but why?
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
