Re: SASL auth only on port 25

Simon Wilson Thu, 20 Jul 2017 05:00:08 -0700

----- Message from /dev/rob0 <r...@gmx.co.uk> ---------
    Date: Wed, 19 Jul 2017 11:57:49 -0500
    From: /dev/rob0 <r...@gmx.co.uk>
Reply-To: postfix-users@postfix.org
 Subject: Re: SASL auth only on port 25
      To: postfix-users@postfix.org

On Wed, Jul 19, 2017 at 05:44:56PM +1000, Simon Wilson wrote:

>>>On Apr 27, 2017, at 12:45 PM, Simon Wilson
>>><si...@simonandkate.net> wrote:
I rectified the order as Viktor suggested back in April, and all
now working to plan, including a client IP filter in the
check_client_access file for local servers to skip amavisd. So I
now have:

smtpd_recipient_restrictions =
        check_client_access hash:/etc/postfix/client_checks,
        permit_mynetworks,
        check_recipient_access hash:/etc/postfix/recipient_access.outside,
        reject_unauth_destination,
        check_sender_access hash:/etc/postfix/sender_access,
        reject_unauth_pipelining,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,

        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,


These two cause no harm, but they are unlikely to be used.

        reject_rbl_client zen.spamhaus.org,
        check_policy_service unix:private/policy-spf
        permit

I have a follow-up question on smtpd_relay_restrictions. At the
moment I have:

smtpd_relay_restrictions =

smtpd_recipient_restrictions =
        check_client_access hash:/etc/postfix/client_checks,
        (etc.)

This is an install that has migrated from a Postfix install that
was pre-2.10, so for compatibility with what I had before it's all
still in smtpd_recipient_restrictions with an explicitly empty
smtpd_relay_restrictions.

To move forward, what checks should I move into the relay
restrictions?


For main.cf I recommend "reject_unauth_destination" only.  Then
explicitly override that for submission in master.cf, as such:

mua_relay_restrictions = permit_sasl_authenticated, reject

(Add other permit_* as you need, before reject.)  Then as per the
example master.cf you would have under submission:

        -o smtpd_relay_restrictions=$mua_relay_restrictions
        -o syslog_name=postfix/submission
        ...

This way you will not accept anything for relay on port 25, and
you'll require all users to authenticate on submission.  If you have
users submitting on port 25 you will have to tell them to change.
You'll especially want to do this so you can have postscreen
controlling access for mail exchange; postscreeen does not play
nicely with MUAs, and end users' IP addresses are commonly found in
Spamhaus Zen via PBL and/or XBL.
--
  http://rob0.nodns4.us/


Very comprehensive and considered response - and appreciated.

I'm already only accepting MUA auth and submission on 587, withpostscreen ably protecting 25, so this should not be hard to do.


Thank you.

Simon


--
Simon Wilson
M: 0400 12 11 16

Re: SASL auth only on port 25

Reply via email to