0

I am using this chunk of code inside /etc/postfix/master.cf to force people to securely "subimt" email through port 465 which uses protocol SMTPS. SMTPS supports mandatory TLS which I use to demand from clients to 1st "encrypt" connection using mandatory TLS and 2nd "authenticate" using SASL mechanism.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
#
  -o smtpd_use_tls=yes
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
  -o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
  -o smtpd_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
  -o smtpd_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
#
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=smtpd
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#

This works as expected. It actualy works great!

I wanted to secure the port 25 in the same way but it looks like it is imposible as this port has two inbound functionalities i.e. "submission" and "relay recieving" (it is stupid to prolong the life of this port that we should get rid of ASAP).

On port 25 there is only protocol SMTP which does not support mandatory TLS! So for inbound email i.e. "submission" and "relay receiving" all that can be enabled is oportunistic TLS (can be hacked). So all I can enable is a bad "encryption" which can later be enhanced using DANE (can't be hacked easily).

So for port 25 I have hopes for my "encryption" to be sufficient at some point while I don't understand how to set up SASL "authentication"!

I tried using this chunk of code in /etc/postfix/master.cf where 1st part of the code sets up oportunistic TLS the second part of code should set up SASL "authentication".

smtp      inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtp
#
  -o smtpd_use_tls=yes
  -o smtpd_tls_security_level=may
  -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
  -o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
  -o smtpd_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
  -o smtpd_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
#
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=smtpd
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
#

Unfortunately, I discovered that line:

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

on one hand forces clients, who want to "submit" email through port 25, to "authenticate" and on the other hand rejects all the "relay received" email arriving from other MTA!

So how can I achieve both:

  • preventing anyone from the internet to "submit" email using port 25 on my server.
  • "relay receive" all the email comming from other MTA to my port 25.
71GA
  • 363
  • 1
  • 3
  • 10
  • 1
    If you want incoming emails (relaying) on 25 port you can't combine it with strict SASL otherwise external mail servers won't be able to submit anything. – Hardoman Dec 29 '20 at 12:07
  • @Hardoman I already understand this, but what is the solution? – 71GA Dec 29 '20 at 12:13
  • 1
    Do not require SASL authentication on port 25 if you want incoming mail to work. There is no other solution. – tater Dec 29 '20 at 12:17
  • Your request is contrary to the design of the whole SMTP auth approach, so there is no solution. – Hardoman Dec 29 '20 at 12:26
  • @tater So what you are saying is to let anyone send email using our server? Because no SASL means exactly this. – 71GA Dec 29 '20 at 12:35
  • Of course I am not saying that. The only mail accepted on port 25 should be that for a local/internal address. Mail to be relayed externally should be submitted by clients on an authenticated port such as 465/587. – tater Dec 29 '20 at 13:21
  • @tater But if I accept only email *"submission"* from local addresses, wouldn't that block all *"relay recieved"* emails as well? Are there separate Postfix configuration parameters for *"submission"* and *"relay recieving"*??? If there are I am very interested. (According to [RFC](https://tools.ietf.org/html/rfc5321#section-2.3.2) *"relay sender"* and *"relay receiver"* are correct terms therefore also *"relay send"* and *"relay receive"*)? – 71GA Dec 29 '20 at 13:41
  • The default Postfix configuration was already secured. There was no need or reason to undo it or to add unnecessary stuff. Go back to it. – Michael Hampton Dec 29 '20 at 15:35
  • I don't just trust default configuration. I want it explicitly configured if anyone knows how to do that. – 71GA Dec 30 '20 at 09:49

0 Answers0