In message <CAFMGiz9FBgvwGB8zGzD=d=0z_spwnap_oly_crsaqabjkxd...@mail.gmail.com>
Tom Browder writes:
> On Tuesday, March 8, 2016, Curtis Villamizar <cur...@orleans.occnc.com> wrote:
> > Tom,
> >
> > I've been following this thread and also not clear on your
> > objectives. See inline.
> > As Viktor pointed out, look at the examples. Your home machine is a
> > "null client". Your remote server is not a "null client" but if set
> > up that way then you would get "connection refused".
> >
> > You need to instances of smtpd. One on port 587 (MSA) and a mail
> > transfer agent (MTA) on port 25 which is where the MX record point to.
>
> Okay, Curtis,that's where the old documentation I'm used to breaks
> down. I don't remember seeing any reference to an MSA before (but now
> I see it--the Postfix books need updating!). That helps greatly with
> my understanding of what I need. I assume my use of the term "smtp
> client" translates to the MSA. Having the multi-instance Postfix
> seems to fit my requirement precisely (although I'm not sure yet that
> I need three instances--that's seems to be overly complex).
The terminology is from an old RFC, updated in RFC 5598 "Internet Mail
Architecture" (see section 4.3). Perhaps someone else can comment on
the mapping of postfix processes to this architecture (or not). I
think we can all agree that a postfix smtpd process running on port
587 fits into the MSA role.
What an MSA does is well defined in RFC 6409 "Message Submission for
Mail".
No practical help here. Just clarification on the terminology.
> I've browsed the multi-instance man page. Given all info so far. is
> this the right and doable path:
>
> I should be able to set things up, all on the remote server, with TWO
> Postfix instances: the null client (MSA) and the other the MTA. With
> the proper configuration I should be able to access the MSA
> programmatically from my local host as well as the remote host. Then
> I can use Mailman 3 with the MTA for my mailing lists.
The "null client" is a type of configuration described in the postfix
documentation and in your case is your home PC. What makes it a null
client is primarily the "inet_interfaces = loopback-only". Your home
PC is closer to being a MUA.
The MSA is not a null client. The MSA common configuration (shared
with MTA function) typically has "inet_interfaces = all" (the
default). The MSA and MTA are defined in master.cf with the (small)
differences defined in the arguments.
> I can use TLS and SASL for authentication between the MSA and any
> external client.
> How does all that sound?
Since you said you are OK with using both client certs and SASL auth.
On your server anything that connects to port 587 MUST have a
recognized client cert and MUST authenticate. Otherwise the
connection is torn down before any mail is exchanged. Once
authenticated, mail relay is allowed. This is typically how a MSA is
set up, though using both TLS and SASL yields better security
(prevents your server from becoming a spam relay through MSA at
least).
On port 25 on your server you have the external interface of your
postfix installation serving as an MTA for delivery to your domains.
This is just another instance of smpt, this time on port 25 and with
different postfix configuration. There is no authentication, perhaps
opportunistic TLS, perhaps optional TLSA, but there is spam filtering
and delivery only to your domains (no spam relay to the rest of the
world).
If outsiders are also going to deliver to your mailing lists, then
would use their own MUA/MSA connecting to you MTA and get no special
priviledges (no general relay ability).
> Thanks for the continued help, Curtis.
>
> Best regards,
>
> -Tom
>
> P.S. In the meantime I'm going to take Viktor's advice to see if I can
> get the path from my local host to the remote server okay.
It makes sense that before you can test a TLS and SASL authenticated
connection to port 587 you need to be able to make any connection at
all to port 587. On your home machine, use the null client setup with
a "relayhost = yourserver:587" line.
During the process of testing make sure you don't open up the
possibility of a spam relay through some naughty person connecting to
your port 587. Perhaps start with local delivery, then add
authentication, then add relay.
Curtis
ps - maybe this will help get you started.
MUA: (your home PC)
master.cf:
(vanilla, except disable smtpd)
main.cf::
(set myorigin, myhostname, compatibility_level, smtputf8_enable,
inet_protocols, inet_interfaces, smtp_address_preference,
smtp_bind_address, smtp_bind_address6, smtp_helo_name,
smtp_sasl_password_maps ... as needed)
(set smtp_tls_cert_file, smtp_tls_key_file, smtp_tls_CAfile
... to use a client cert and verify server cert)
(set smtp_tls_protocols, smtp_tls_mandatory_protocols,
smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
smtp_tls_exclude_ciphers, smtp_tls_security_level = encrypt
... to extreme settings so Viktor can call you a radical :)
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_type = cyrus
smtp_sasl_path = smtpd
cyrus_sasl_config_path = /usr/local/etc
smtpd_sasl_local_domain = yoursasldomain
smtp_sasl_security_options = mutual_auth # compile scram into sasl
relayhost = yourserverfqdn:587
MSA/MTA: (ie: yourserver)
master.cf:
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o { smtpd_sasl_auth_enable = yes }
-o { smtpd_tls_security_level = encrypt }
-o { smtpd_reject_unlisted_sender = yes }
-o { smtpd_relay_restrictions = permit_sasl_authenticated reject }
-o { smtpd_client_restrictions = permit_sasl_authenticated reject }
also set higher smtpd_tls_ciphers, smtpd_tls_mandatory_ciphers,
smtpd_tls_exclude_ciphers, smtpd_sasl_security_options,
smtpd_tls_protocols, smtpd_tls_mandatory_protocols, for submission
The first smtpd (named smtp) is the MTA. The second smtpd (named
submission) is the MSA.
main.cf: (this affects both the MSA and MTA, but master.cf overrides)
(set myorigin, myhostname, compatibility_level, smtputf8_enable,
inet_protocols, inet_interfaces, smtp_address_preference,
smtp_bind_address, smtp_bind_address6, smtp_helo_name,
smtp_sasl_password_maps ... as needed)
(set smtp_tls_cert_file, smtp_tls_key_file, smtpd_tls_cert_file,
smtpd_tls_key_file, smtp_tls_CAfile, smtpd_tls_CAfile
... to use both client and server certs)
(set smtp_tls_protocols, smtpd_tls_protocols,
smtp_tls_mandatory_protocols, smtpd_tls_mandatory_protocols,
smtp_tls_ciphers, smtpd_tls_ciphers, smtp_tls_mandatory_ciphers,
smtpd_tls_mandatory_ciphers, smtp_tls_exclude_ciphers,
smtpd_tls_exclude_ciphers, smtpd_tls_eecdh_grade
... strong enough, but so others still connect to you)
smtpd_tls_security_level = may
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_sasl_auth_enable = yes # if using SASL for some relay, else no
smtpd_sasl_auth_enable = no
(set smtp_sasl_type, smtp_sasl_path, cyrus_sasl_config_path,
smtpd_sasl_local_domain, smtp_sasl_security_options
... if using SASL for some sort of relay such as to an MDA)
(you can also set the smtpd_ versions of sasl stuff here to avoid
putting all that in master.cf, even though you have set
"smtpd_sasl_auth_enable = no" here.)
also set: smtpd_helo_required, smtpd_helo_restrictions,
smtpd_relay_restrictions, smtpd_sender_restrictions,
smtpd_recipient_restrictions ... for example:
# modern mail servers should be OK with this
smtpd_helo_required = yes
smtpd_helo_restrictions =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_reject_unlisted_sender = no
# mta allows auth but must allow relay
smtpd_relay_restrictions =
permit_sasl_authenticated
reject_unauth_destination
smtpd_client_restrictions =
permit_sasl_authenticated
sleep 4
reject_unauth_pipelining
permit
# basic sanity checks on sender
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_recipient_restrictions =
permit_auth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_destination
Note that the sleep 4 causes a lot of spammers to go away but also
slows down legitimate mail. Don't do this unless you have a fairly
low volume of legitimate mail.
