----- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> ---------
Date: Thu, 27 Apr 2017 15:07:02 +0000
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: postfix-users@postfix.org
Subject: Re: SASL auth only on port 25
To: postfix-users@postfix.org
On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:
1. At the moment when a bot knocks on the postfix server I see
postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
port 25 or 587?
Sufficiently new versions of the stock Postfix master.cf file have:
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# ...
You would use that, but I believe this requires Postfix 2.4 or
later, as in 2.3 the master.cf option overrides take place after
logging is already configured, and this setting has no effect.
2. Is my config correct for my desired outcome (below)?
extract from master.cf:
# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
Looks fine.
# submission port
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
In the stock Postfix 3.3-dev master.cf (commented out) submission
entry, we have:
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
Most of these are applicable to a large range of releases, likely
including what ships with your newer O/S.
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
An empty CAfile for the SMTP server typically works better. After
all you're not (and typicall SHOULD NOT be) requesting client certs.
Just make sure your cert file contains a complete chain, not just
the leaf certificate.
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
Looks fine. The last setting is unnecessary.
--
Viktor.
----- End message from Viktor Dukhovni <postfix-us...@dukhovni.org> -----
Putting all of this advice and learning together with other reading,
and the CentOS7 distribution master.cf file, I have set the following
on my NEW Postfix 2.10 / CentOS7 server. The config I had on the old
CentOS5 server had restrictions all in recipient checks, so at the
moment I have replicated that. I have noticed varying opinions on that.
The config all appears to work on internal network, but I can't test
it fully (externally, open relay) until I redirect the port forwarding.
Objective is port 25 MTA only, 587 SASL auth over TLS only. I've
enabled postscreen in monitor mode at the moment. I've added a blank
set smtpd_relay_restrictions as per the comments on postfix.org about
that being added in 2.10+ and having it blank enabling previous
behaviour for smtpd_recipients_restrictions. I think I have that
correct.
I'm hopeful that once I have postscreen enabled fully the amount of
zombie knocking will decrease.
Thanks
Simon.
master.cf:
smtp inet n - n - 1 postscreen
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
main.cf:
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
mua_client_restrictions =
mua_helo_restrictions =
mua_sender_restrictions =
smtpd_helo_required = yes
disable_vrfy_command = yes
# added in postfix 2.10, set to blank lets recipient restrictions work
as before
smtpd_relay_restrictions =
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/recipient_access.outside,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:private/policy-spf
permit
# Data restrictions:
smtpd_data_restrictions =
reject_unauth_pipelining
permit
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
# CA cert to be sorted out
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
delay_warning_time = 2h
bounce_template_file = /etc/postfix/bounce.cf
data_directory = /var/lib/postfix
policy-spf_time_limit = 3600s
################
## Postscreen ##
################
#postscreen config (separate discussion!)
--
Simon Wilson
M: 0400 12 11 16
