Discussion:
server / client configuration for Authenticated Relay server
(too old to reply)
Zalezny Niezalezny
2016-07-11 08:30:57 UTC
Permalink
Dear Colleagues,

I`m trying to configure authenticated relay server (SASL) using RHEL
Postfix 2.6.6.

System will transport E-mails only from authenticated clients.
1) Most of that clients are in the same subnet, does it make sense to
authtenicate that clients with passwords ? Do we need to use sasl if host
is in the same subnet ?

2) How to understand, permit_mynetworks and permit_sasl_authenticated. If
host is mentioned in the mynetworks list, what will happend with it if we
will use that settings:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject

Postfix will also ask for user name and password ?



I`m strugling that topic since days and I do not how to manage that. SASL
documentation from Wietse I read already multiple times, but it still not
working.
Does any one can send me client / server (main.cf) config which is working.

Maybe somebody here will be able to support me.



Here is my client configuration main.cf:
# SASL client configuration
smtp_sasl_auth_enable = yes
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
#smtp_sasl_mechnism_filter = digest-md5
broken_sasl_auth_clients = yes

smtp_use_tls=yes
smtp_sasl_auth_enable = yes

# ####################


and here You have my server configuration:

#TLS Server configuration
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/mail.domain.tld.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.domain.tld.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
tls_random_source = dev:/dev/urandom
# SASL configuration - user authentication
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login

smtpd_client_restrictions = permit_mynetworks, reject
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject
smtpd_recipient_restrictions = permit_sasl_authenticated, reject


My sasl configuration is located in /etc/postfix/sasl/smtpd.conf.
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


Thanks in advance for Your support


Zalezny
Wietse Venema
2016-07-11 11:15:07 UTC
Permalink
Please define "is not working".

Wietse
Bill Cole
2016-07-11 15:26:49 UTC
Permalink
Post by Zalezny Niezalezny
Dear Colleagues,
I`m trying to configure authenticated relay server (SASL) using RHEL
Postfix 2.6.6.
System will transport E-mails only from authenticated clients.
1) Most of that clients are in the same subnet, does it make sense to
authtenicate that clients with passwords ?
Yes. Also: do so with a submission service on port 587 and require TLS.
Post by Zalezny Niezalezny
Do we need to use sasl if host
is in the same subnet ?
Authenticating by IP is weak, barely worth calling "authentication" at
all. If it is possible for a rogue device to get on that subnet or for a
legitimate machine to be subverted by a spambot, requiring a REAL
authentication mechanism (i.e. SASL) can prevent a spam run through your
server.

Some of the defaults and widely-recommended Postfix settings originate
in an era when port 587 submission was not supported widely enough to
make it the only route for submission. In the modern world, you may
never need "permit_mynetworks" anywhere or any SASL support on a port 25
smtpd service, since mail for outbound relay should be submitted via
port 587 submission with SASL authentication there.
Post by Zalezny Niezalezny
2) How to understand, permit_mynetworks and permit_sasl_authenticated.
If
host is mentioned in the mynetworks list, what will happend with it if
we
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject
Postfix will also ask for user name and password ?
That's not how SMTP AUTH works.

When a client connects and uses the "EHLO" command to introduce itself,
the server replies with a list of extensions to basic SMTP that it
supports, possibly including the AUTH extension with a list of SASL
mechanisms that are supported. The *client* is expected to try
authentication if it can. The server never explicitly "asks" for
authentication, it merely offers the option and MAY be configured to
reject mail without it.

So, the configuration you show will let clients in $mynetworks relay
with or without authentication and let any other client relay if they
authenticate, and reject other mail.
Post by Zalezny Niezalezny
I`m strugling that topic since days and I do not how to manage that.
SASL
documentation from Wietse I read already multiple times, but it still
not
working.
Does any one can send me client / server (main.cf) config which is
working.
Since I never set up submission for relaying and inbound transport in
the same service, none of my configs would make sense for what you seem
to be doing. I also don't use any antique versions of Postfix so my
configs would break with your 2.6.6.

Beyond that, you really shouldn't blindly trust that a "working" config
for a complex system like Postfix is going to be portable between sites.
I manage multiple Postfix systems, but don't use identical Postfix
configs on any 2 sites that accept mail over the network, even allowing
for the obviously local settings like the various my* parameters.
Post by Zalezny Niezalezny
Maybe somebody here will be able to support me.
Actual postconf -n output would be more useful, but I do see one
Post by Zalezny Niezalezny
smtpd_client_restrictions = permit_mynetworks, reject
That does exactly what it says.
It is not possible to recover from a REJECT in
smtpd_client_restrictions by getting a PERMIT in any later restriction
list, because you never evaluate the later restriction lists.

Continue reading on narkive:
Loading...