On 1/6/2014 12:47 PM, jeffrey j donovan wrote:
>
> On Jan 6, 2014, at 1:17 PM, Eric Cunningham <e...@whoi.edu> wrote:
>
>> Hi, I've encountered a problem with Windows-based devices, such as Windows
>> Phones, being unable to send mail through postfix. The problem and
>> resolution are described at
>> http://answers.microsoft.com/en-us/winphone/forum/wp8-wpemail/smtp-authentication-for-outgoing-emails-via-a/2132a705-e1d0-401d-9883-f22f7ed2cb6a
>>
>> However, if I add LOGIN to mech_list in /etc/postfix/sasl/smtpd.conf to
>> address that problem, our SMTP server becomes an open relay. Does anyone
>> have any idea what might be causing this and what the fix is to allow
>> Windows devices to send mail while not opening a mail relay?
>
> I see a couple of things,
>> mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150, 172.16.8.0/24
>
> all of these networks will be free to send. as stated in your config;
>> smtpd_sender_restrictions = permit_sasl_authenticated,
>> permit_mynetworks
>
>
>> smtpd_tls_security_level = may
>
> optional encryption , i would set that to encrypt.
No, this is an internet-facing MX, and must not require encryption
from the public internet. The OP correctly requires encryption for
SASL with
>> smtpd_tls_auth_only = yes
> also looking for these lines which I don't see;
> smtpd_tls_mandatory_ciphers = high
This is likely to break compatibility with large portions of the
internet, and is not recommended for a public internet MX. When you
break the TLS negotiation, the message will either be sent
unencrypted, or not at all (depending on the sender's software).
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
This may also break compatibility. The default setting
smtpd_tls_mandatory_protocols = !SSLv2
is sufficient. When you break the TLS negotiation, the message will
likely be resent unencrypted.
Your suggested settings are OK for the submission service or an
internal-only smarthost, but must not be used on the internet.
> Adding Login as an Auth mech wouldn't make your system an open relay. Your
> system was open already.
Agreed.
-- Noel Jones
> -j
>
>>
>>
>> /etc/postfix/sasl/smtpd.conf:
>>
>> pwcheck_method: saslauthd
>> mech_list: PLAIN
>> log_level: 0
>>
>>
>> postconf -n
>>
>> address_verify_poll_count = ${stress?1}${stress:3}
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases, ldap:ldap
>> anvil_rate_time_unit = 60s
>> append_dot_mydomain = yes
>> body_checks = pcre:/etc/postfix/access/body_access
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/lib/postfix
>> default_process_limit = 250
>> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
>> blocked using $rbl_domain${rbl_reason?; $rbl_reason}. Contact
>> <postmas...@whoi.edu> if this is in error.
>> header_checks = pcre:/etc/postfix/access/header_access
>> html_directory = /usr/share/doc/postfix/html
>> mailbox_size_limit = 0
>> message_size_limit = 104857600
>> mime_header_checks = pcre:/etc/postfix/access/mime_header_checks
>> mydestination = $myhostname, $mydomain, postal2.$mydomain, outbox.$mydomain,
>> mail.$mydomain, localhost.$mydomain, localhost.localdomain,
>> localhost, beachcomberscompanion.org, whoi.net, cinar.org,
>> bco-dmo.org, bcodmo.org, oceanopportunities.org
>> myhostname = postal2.whoi.edu
>> mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150, 172.16.8.0/24
>> myorigin = $mydomain
>> parent_domain_matches_subdomains =
>> permit_mx_backup_networks = $mynetworks
>> rbl_reply_maps = hash:/etc/postfix/access/dnsbl_replies
>> readme_directory = /usr/share/doc/postfix
>> recipient_delimiter = +
>> relay_domains = hash:/etc/postfix/mx_host_relays, oceanus.whoi.edu,
>> atlantis.whoi.edu knorr.whoi.edu, tioga.whoi.edu, bosun.whoi.edu,
>> striker.whoi.edu, striker2.whoi.edu, sssg1.whoi.edu, wbc.whoi.edu
>> relayhost =
>> relocated_maps = hash:/etc/postfix/relocated
>> setgid_group = postdrop
>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>> smtpd_client_connection_rate_limit = 60
>> smtpd_client_message_rate_limit = 250
>> smtpd_client_new_tls_session_rate_limit = 60
>> smtpd_client_recipient_rate_limit = 300
>> smtpd_client_restrictions = check_client_access
>> hash:/etc/postfix/access/connect_client_access
>> smtpd_delay_reject = yes
>> smtpd_error_sleep_time = 5s
>> smtpd_etrn_restrictions = permit_mynetworks, reject
>> smtpd_hard_error_limit = ${stress?1}${stress:20}
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = permit_mynetworks, check_helo_access
>> pcre:/etc/postfix/access/final_helo_access
>> smtpd_junk_command_limit = ${stress?1}${stress:100}
>> smtpd_recipient_restrictions = reject_unauth_pipelining,
>> reject_non_fqdn_recipient, check_sender_access
>> pcre:/etc/postfix/access/final_sender_access,
>> reject_unknown_recipient_domain, permit_sasl_authenticated,
>> permit_mynetworks, reject_unauth_destination,
>> reject_unknown_sender_domain, check_recipient_access
>> pcre:/etc/postfix/access/final_recipient_access, check_client_access
>> hash:/etc/postfix/access/final_client_access, check_helo_access
>> pcre:/etc/postfix/access/suspect_helo, reject_rbl_client
>> b.barracudacentral.org, reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client autospam.whoi.edu, reject_rhsbl_sender
>> dsn.rfc-ignorant.org, reject_rbl_client dnsbl.ahbl.org,
>> reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client
>> socks.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net,
>> reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client
>> dul.dnsbl.sorbs.net, reject_rbl_client bl.
>> spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
>> dyna.spamrats.com, reject_rbl_client noptr.spamrats.com,
>> reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client ix.dnsbl.manitu.net,
>> reject_rbl_client backscatter.spameatingmonkey.net,
>> reject_rbl_client bl.spameatingmonkey.net, reject_rhsbl_sender
>> fresh.spameatingmonkey.net, reject_rhsbl_client fresh.spameatingmonkey.net,
>> reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client
>> uribl.spameatingmonkey.net, reject_rhsbl_sender urired.spameatingmonkey.net,
>> reject_rhsbl_client urired.spameatingmonkey.net,
>> check_sender_access hash:/etc/postfix/access/check_backscatterer,
>> check_policy_service inet:127.0.0.1:10023, permit
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_local_domain = $myhostname
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sender_restrictions = permit_sasl_authenticated,
>> permit_mynetworks
>> smtpd_soft_error_limit = 10
>> smtpd_starttls_timeout = ${stress?10}${stress:300}s
>> smtpd_timeout = ${stress?10}${stress:300}s
>> smtpd_tls_CAfile = /etc/postfix/tls/whoi-inCommon-interim.cer
>> smtpd_tls_auth_only = yes
>> smtpd_tls_cert_file = /etc/postfix/tls/whoi-inCommon-certificate.cer
>> smtpd_tls_key_file = /etc/postfix/tls/whoi-inCommon-private.key
>> smtpd_tls_loglevel = 1
>> smtpd_tls_received_header = yes
>> smtpd_tls_security_level = may
>> smtpd_tls_session_cache_timeout = 3600s
>> tls_random_source = dev:/dev/urandom
>> transport_maps = hash:/etc/postfix/transport
>> unknown_local_recipient_reject_code = 550
>> virtual_alias_domains = $virtual_alias_maps
>> virtual_alias_maps = hash:/etc/postfix/virtual, ldap:vldap
>>
>
