Re: clients connecting to port 25 with ssl/tls

Mon, 22 Feb 2016 13:13:52 -0800 

On Mon, 22 Feb 2016 20:58:51 +0000
Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:

> On Mon, Feb 22, 2016 at 09:35:42PM +0100, morbi...@rx900.org wrote:
> 
> > Currently my postfix server is accepting both cleartext and ssl/tls
> > connections on port 25, but my data center is introducing a new rule
> > (perhaps a new firewall) which will drop ssl/tls connections to port 25
> > while allowing only cleartext connection.  (port 465 is also open but
> > that's ignored by the data center's new rule/firewall)
> 
> Get your submission clients to use port 587, and disable SASL AUTH and
> STARTTLS on port 25.
> 
> > Since i have a lot of domains and clients using my postfix server (several 
> > thousands),
> > I'd prefer to generate a list instead of calling them all and checking 
> > their clients one by one.
> 
> For maximum information, collate your submission logs:
> 
>     # perl collate /var/log/maillog |
>       perl -ne 'BEGIN {$/="\n\n"} print if m{sasl_username=}'
>     Feb 22 20:49:42 amnesiac postfix/smtpd[19926]:
>         connect from unknown[192.0.2.1]
>     Feb 22 20:49:43 amnesiac postfix/smtpd[19926]:
>         Anonymous TLS connection established from unknown[192.0.2.1]:
>         TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> ->  Feb 22 20:49:43 amnesiac postfix/smtpd[19926]: 9309A282F4E:
> ->      client=unknown[192.0.2.1], sasl_method=GSSAPI, sasl_username=luser
>     Feb 22 20:49:43 amnesiac postfix/cleanup[22082]: 9309A282F4E:
>         message-id=<36ba7c2e-f1b8-4b76-8b39-e1cb6cb0c...@example.org>
>     Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E:
>         from=<lu...@example.org>, size=3900, nrcpt=1 (queue active)
>     Feb 22 20:49:43 amnesiac postfix/virtual[7400]: 9309A282F4E:
>         to=<lu...@example.org>, relay=virtual, delay=0.09, 
> delays=0.08/0.01/0/0.01,
>         dsn=2.0.0, status=sent (delivered to maildir)
>     Feb 22 20:49:43 amnesiac postfix/qmgr[9946]: 9309A282F4E: removed
> 
> Make sure your port 587 submission service logs a different
> syslog_name than your port 25 inbound SMTP service.  If you only
> allow SASL via TLS, the only relevant data is in the single log
> entry (folded across two lines for readability) with "->" in front.
> 
> -- 
>       Viktor.

Very creative thank you :)
Makes sense, I'll do some tests.
Thanks for the support.

Reply via email to