On Mon, Feb 22, 2016 at 09:35:42PM +0100, morbi...@rx900.org wrote:
> Currently my postfix server is accepting both cleartext and ssl/tls
> connections on port 25, but my data center is introducing a new rule
> (perhaps a new firewall) which will drop ssl/tls connections to port 25
> while allowing only cleartext connection. (port 465 is also open but
> that's ignored by the data center's new rule/firewall)
Get your submission clients to use port 587, and disable SASL AUTH and
STARTTLS on port 25.
> Since i have a lot of domains and clients using my postfix server (several
> thousands),
> I'd prefer to generate a list instead of calling them all and checking their
> clients one by one.
For maximum information, collate your submission logs:
# perl collate /var/log/maillog |
perl -ne 'BEGIN {$/="\n\n"} print if m{sasl_username=}'
Feb 22 20:49:42 amnesiac postfix/smtpd[19926]:
connect from unknown[192.0.2.1]
Feb 22 20:49:43 amnesiac postfix/smtpd[19926]:
Anonymous TLS connection established from unknown[192.0.2.1]:
TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
-> Feb 22 20:49:43 amnesiac postfix/smtpd[19926]: 9309A282F4E:
-> client=unknown[192.0.2.1], sasl_method=GSSAPI, sasl_username=luser
Feb 22 20:49:43 amnesiac postfix/cleanup[22082]: 9309A282F4E:
message-id=<36ba7c2e-f1b8-4b76-8b39-e1cb6cb0c...@example.org>
Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E:
from=<lu...@example.org>, size=3900, nrcpt=1 (queue active)
Feb 22 20:49:43 amnesiac postfix/virtual[7400]: 9309A282F4E:
to=<lu...@example.org>, relay=virtual, delay=0.09,
delays=0.08/0.01/0/0.01,
dsn=2.0.0, status=sent (delivered to maildir)
Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E: removed
Make sure your port 587 submission service logs a different
syslog_name than your port 25 inbound SMTP service. If you only
allow SASL via TLS, the only relevant data is in the single log
entry (folded across two lines for readability) with "->" in front.
--
Viktor.
#! /usr/bin/perl
use strict;
use warnings;
# Postfix delivery agents
my @agents = qw(discard error lmtp local pipe smtp virtual);
my $instre = qr{(?x)
\A # Absolute line start
(?:\S+ \s+){3} # Timestamp, adjust for other time formats
\S+ \s+ # Hostname
(postfix(?:-\S+)?)/ # postfix instance
};
my $cmdpidre = qr{(?x)
\G # Continue from previous match
(\S+)\[(\d+)\]:\s+ # command[pid]:
};
my %smtpd;
my %smtp;
my %transaction;
my $i = 0;
my %seqno;
my %isagent = map { ($_, 1) } @agents;
while (<>) {
next unless m{$instre}ogc; my $inst = $1;
next unless m{$cmdpidre}ogc; my $command = $1; my $pid = $2;
if ($command eq "smtpd") {
if (m{\Gconnect from }gc) {
# Start new log
$smtpd{$pid}->{"log"} = $_; next;
}
$smtpd{$pid}->{"log"} .= $_;
if (m{\G(\w+): client=}gc) {
# Fresh transaction
my $qid = "$inst/$1";
$smtpd{$pid}->{"qid"} = $qid;
$transaction{$qid} = $smtpd{$pid}->{"log"};
$seqno{$qid} = ++$i;
next;
}
my $qid = $smtpd{$pid}->{"qid"};
$transaction{$qid} .= $_
if (defined($qid) && exists $transaction{$qid});
delete $smtpd{$pid} if (m{\Gdisconnect from}gc);
next;
}
if ($command eq "pickup") {
if (m{\G(\w+): uid=}gc) {
my $qid = "$inst/$1";
$transaction{$qid} = $_;
$seqno{$qid} = ++$i;
}
next;
}
# bounce(8) logs transaction start after cleanup(8) already logged
# the message-id, so the cleanup log entry may be first
#
if ($command eq "cleanup") {
next unless (m{\G(\w+): }gc);
my $qid = "$inst/$1";
$transaction{$qid} .= $_;
$seqno{$qid} = ++$i if (! exists $seqno{$qid});
next;
}
if ($command eq "qmgr") {
next unless (m{\G(\w+): }gc);
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
if (m{\Gremoved$}gc) {
print delete $transaction{$qid}, "\n";
}
}
next;
}
# Save pre-delivery messages for smtp(8) and lmtp(8)
#
if ($command eq "smtp" || $command eq "lmtp") {
$smtp{$pid} .= $_;
if (m{\G(\w+): to=}gc) {
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $smtp{$pid};
}
delete $smtp{$pid};
}
next;
}
if ($command eq "bounce") {
if (m{\G(\w+): .*? notification: (\w+)$}gc) {
my $qid = "$inst/$1";
my $newid = "$inst/$2";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
}
$transaction{$newid} =
$_ . $transaction{$newid};
$seqno{$newid} = ++$i if (! exists $seqno{$newid});
}
next;
}
if ($isagent{$command}) {
if (m{\G(\w+): to=}gc) {
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
}
}
next;
}
}
# Dump logs of incomplete transactions.
foreach my $qid (sort {$seqno{$a} <=> $seqno{$b}} keys %transaction) {
print $transaction{$qid}, "\n";
}
