Join Log in
Score:0
cz.steve avatar Server

Postfix Accept only pop3s and imaps accounts

in flag
cz.steve

Today i found out accidentally that somehow i can send emails from my postfix mailserver on plain old smtp pot 25. I m scratching my head why is that, even tho i configured postfix to accept only encrypted TLS connection on the outbound. What am i missing?

Heres the config part from my main.cf:

### Outbound SMTP connections (Postfix as sender)###
smtp_use_tls = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom

smtp_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high

### Inbound SMTP connections ###
smtpd_use_tls = yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions=reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
 
###smtpd tls xtraconf
#For tls header info show
smtpd_tls_received_header = yes

# More detailed tls neg log    smtpd_tls_loglevel = 2
smtpd_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high

tls_preempt_cipherlist = yes

smtputf8_enable = no

Master.cf :

smtp      inet  n       -       y       -       -       smtpd
submission inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_sasl_security_options=noanonymous
 -o smtpd_sasl_local_domain=mail.mydomain.com
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
51
1 + 11
ssl
in flag
Gerald Schneider
Disabling port 25 completely will break delivery from other MTAs which are not configured to use transport encryption. I would advise against it
0
Reply
cz.steve avatar
in flag
cz.steve
You are right, indeed. Let me rephrase it. What i want to accomplish is that the server wouldn t accept any plaintext authentication from anywhere. Only use pop3s and imaps
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Ability to send mails on port 25 is orthogonal to authentication and also orthogonal to the use of TLS. Also, Postfix has absolutely nothing to do with IMAP and POP3, it doesn't support those protocols.
1
Reply
cz.steve avatar
in flag
cz.steve
@NikitaKipriyanov So for example if i configure a remote users Outlook mail client to use for submission port, port 25, its authentication password can't be eavesdropped?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
You shouldn't configure MUAs to use port 25. You have a submission service on port 587 specially for those, and it has TLS enforced. Better remove any authentication support from port 25 (you really don't need it there).
0
Reply
cz.steve avatar
in flag
cz.steve
So if i understood correctly. The best practise would be to not block port 25, but for internal and remote users who have credentials to authenticate on the mailserver, to use smtp over tls , port 587 ? I mixed up mta and mda roles.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
You absolutely need port 25 to receive mail from other systems, and you really want it to support plain text connectivity, as Gerald Schneider noticed up there. But you don't need it to support authentication, because it should be dedicated to *only* reception of mail from external MTAs and they won't authenticate.
1
Reply
cz.steve avatar
in flag
cz.steve
so far i know that my server supports authentication on port 25 (i guess this should have been my initial statement, and NOT accepting mails on port 25, because that s the normal behaviour) After all, thank you for clarifying this. So my question is, why does my server accepts auth. on port 25 and how can i disable this.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Then set `smtpd_sasl_auth_enable=no` in `main.cf`. For submission it is overridden in `master.cf`, and it is not needed anywhere else.
0
Reply
cz.steve avatar
in flag
cz.steve
@NikitaKipriyanov Ty for clarifying so much about postfix. I should really read more in depth about it, and not just read bits and howto's on forums.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Begin with this: https://www.postfix.org/SASL_README.html#server_sasl_enable
0
Reply
Score:2
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

IMAP and POP3 have nothing to do with Postfix. Those are MDA protocols, while Postfix is MTA and it only supports SMTP (and LMTP, think simplified version). What you seem to need instead is to set up Postfix's smtpd_*_restrictions properly.

You have a properly set up submission service (in master.cf), which enforces TLS (it has smtpd_tls_security_level=encrypt). This is for MUAs. This is the only place in the whole Postfix configuration where you may need user authentication.

Your MUAs shouldn't connect to port 25 over SMTP (if they do, you should update their configuration to use dedicated submission port 587 instead). Other MTAs who deliver mail to you won't authenticate. So, remove any occurrence of permit_sasl_authenticated from main.cf and set smtpd_sasl_auth_enable=no in it. Then Postfix will not support any form of authentication on port 25. It will be dedicated to only receive mail from other MTAs.

Also, usually you want to have permit_mynetworks first in smtpd_*_restrictions, because usually you want systems in mynetworks to be unrestricted in where they can send mail. Keep mynetworks as narrow as possible (probably localhost only), better to set up many accounts and authenticate everything.

Strictly speaking plaintext authentication is orthogonal to the TLS support; there are zero knowledge proof authentication schemes (e.g. CHAP, DIGEST, SRP) which don't transmit password over the wire, either in plain text or encrypted form. They provide resilient authentication even when there is no transport encryption. This is configured outside of Postfix, in the SASL configuration. I don't have any experience with Dovecot SASL library. You don't need it very much, because your submission configuration enforces TLS.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.