Hello,
I have been going through various docs on the net about sasl authentication in postfix. In the system that I have set up at a client's place, mails are going fine but there is a small issue that needs to be corrected. The setup is a group of machines on LAN running Outlook Express mail clients and a Linux box running postfix pushing all mails to the main ISP's smtp server. Since It is a relay server, I have used the parameter relayhost = [smtp_of_ISP]:25 in the main.cf file. The sasl auth is using smtp_auth_enable and not smtpd_auth_enable and the user names/passwords are listed in the /etc/postfix/sasl_password file. The only *smtpd* related entry is smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject.
Mails are going as required and only to those in the recipient_access list as required. Now if an employee has left and his/her entries are removed from the postfix box as well as the ISP server mail accounts, the Outlook Express mailer can still send mails as that non-existent user. What I found through more reading of docs is that my OE accounts can send mails even without authentication as I don't have smtpd_auth_enable and the LAN is in my mynetworks parameter. Not a big problem as it is local and under control and the OE account can be deleted for that user. However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
On Sun, Jun 5, 2011 at 1:05 PM, Rony gnulinuxist@gmail.com wrote:
Mails are going as required and only to those in the recipient_access list as required. Now if an employee has left and his/her entries are removed from the postfix box as well as the ISP server mail accounts, the Outlook Express mailer can still send mails as that non-existent user. What I found through more reading of docs is that my OE accounts can send mails even without authentication as I don't have smtpd_auth_enable and the LAN is in my mynetworks parameter. Not a big problem as it is local and under control and the OE account can be deleted for that user. However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
If you add a new user to postfix and DO NOT add this user to ISP. Is it possible to send mails as this new user using OE?
Amish.
On 06/06/2011 02:52 AM, Amish Munshi wrote:
On Sun, Jun 5, 2011 at 1:05 PM, Rony gnulinuxist@gmail.com wrote:
Mails are going as required and only to those in the recipient_access list as required. Now if an employee has left and his/her entries are removed from the postfix box as well as the ISP server mail accounts, the Outlook Express mailer can still send mails as that non-existent user. What I found through more reading of docs is that my OE accounts can send mails even without authentication as I don't have smtpd_auth_enable and the LAN is in my mynetworks parameter. Not a big problem as it is local and under control and the OE account can be deleted for that user. However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
If you add a new user to postfix and DO NOT add this user to ISP. Is it possible to send mails as this new user using OE?
Even if you remove the user from postfix and the ISP, I can still send from OE as another user.
On Monday 06 Jun 2011, Rony wrote:
[snip] However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
Because the ISP is relaying based on the authentication your server provides (which could be IP or login based), and not on the auth the original client provided to your server. In other words, once the mail gets into your server, it will get relayed regardless of who sent it.
Regards,
-- Raj
On 06/06/2011 10:14 AM, Raj Mathur (राज माथुर) wrote:
On Monday 06 Jun 2011, Rony wrote:
[snip] However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
Because the ISP is relaying based on the authentication your server provides (which could be IP or login based),
I don't have any IP based auth. only username and password. The ex-user's name and password are deleted so which credentials are used for auth.? What I found from the docs is that if the sender client is in the 'mynetworks' parameter, they can send without authentication unless the smtpd_auth is enabled and user names and passwords are set using saslauthd or sasld. For relay to the remote server, postfix only needs smtp_auth and a text based list of users/passwords which I use. What puzzles me is that even if postfix relays the message to the ISP smtp, shouldn't the security of the ISP reject the message as that user does not exist? Tomorrow, anyone will set up an smtp server using postfix without knowing any passwords and send mails as a fake user via the ISP's smtp.
and not on the auth the original client provided to your server. In other words, once the mail gets into your server, it will get relayed regardless of who sent it.
On Monday 06 Jun 2011, Rony wrote:
On 06/06/2011 10:14 AM, Raj Mathur (राज माथुर) wrote:
On Monday 06 Jun 2011, Rony wrote:
[snip] However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix? Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
Because the ISP is relaying based on the authentication your server provides (which could be IP or login based),
I don't have any IP based auth. only username and password. The ex-user's name and password are deleted so which credentials are used for auth.? What I found from the docs is that if the sender client is in the 'mynetworks' parameter, they can send without authentication unless the smtpd_auth is enabled and user names and passwords are set using saslauthd or sasld. For relay to the remote server, postfix only needs smtp_auth and a text based list of users/passwords which I use. What puzzles me is that even if postfix relays the message to the ISP smtp, shouldn't the security of the ISP reject the message as that user does not exist? Tomorrow, anyone will set up an smtp server using postfix without knowing any passwords and send mails as a fake user via the ISP's smtp.
I believe you're confused between auth on your server and auth to the ISP. Auth on your server we can afford to ignore -- you've clearly said it's IP based, and that's the end of it.
On the other hand, it's highly unlikely that your server will be authenticating to the ISP as a different user for each sender. Typically mail servers use one identity to talk to other mail servers. Your ISP would be letting your server relay through it on one of the following conditions:
- Your server IP is in the list of IPs that are allowed to relay through the ISPs server.
- Your server is authenticating to the ISP's server using an auth login and password that the ISP has provided. Note: the ISP would have provided this.
- Your server is authenticating to the ISP's server using a certificate provided by the ISP (or at least one you have mutually agreed to use).
- Your server is using a different auth login and password to login to the ISP's server, depending on each mail's sender.
There are other methods possible, but these are the most likely; out of these, the likeliest is the first -- your ISP allows any IP from their network to relay through their mail server.
The last one method above (which you seem to be thinking is what is happening, based on your mails) is a pretty bizarre setup, and would require serious customisation at your end. Have you done that customisation? If not, please review the exact auth mechanism by which your ISP is allowing your server to relay mails through it.
Regards,
-- Raj
On 06/06/2011 06:47 PM, Raj Mathur (राज माथुर) wrote:
I believe you're confused between auth on your server and auth to the ISP. Auth on your server we can afford to ignore -- you've clearly said it's IP based, and that's the end of it.
On the other hand, it's highly unlikely that your server will be authenticating to the ISP as a different user for each sender. Typically mail servers use one identity to talk to other mail servers. Your ISP would be letting your server relay through it on one of the following conditions:
Thanks to all those who responded. Raj, could you tell from my main.cf settings if the smtp auth from postfix to the ISP is happening with only the first account in the sasl_password file or does it happen with each user that is listed one below the other? What you mention must be happening, there is one account getting authenticated for every mail relayed from postfix. That is why users that do not exist get their mails going through. How do I ensure that postfix sends the respective username:password for every mail according to the sender id? So if the user does not exist, there should be no auth happening.
On Mon, Jun 6, 2011 at 1:35 AM, Rony gnulinuxist@gmail.com wrote:
I have been going through various docs on the net about sasl authentication in postfix.
I hope you are referring to postfix's docs and references. Your scenario is a common setup and IIRC there are examples on postifx's site on how to do this.
In the system that I have set up at a client's place, mails are going fine but there is a small issue that needs to be corrected. The setup is a group of machines on LAN running Outlook Express mail clients and a Linux box running postfix pushing all mails to the main ISP's smtp server. Since It is a relay server, I have used the parameter relayhost = [smtp_of_ISP]:25 in the main.cf file. The sasl auth is using smtp_auth_enable and not smtpd_auth_enable and the user names/passwords are listed in the /etc/postfix/sasl_password file.
Have you also enabled relay for the "local" LAN? If yes, then this needs to be disabled.
*All* "local" users need to provide credentials to postfix for accepting emails from local clients.
This is a good place to start http://www.postfix.org/SASL_README.html if you have not read it.
Also you have not mentioned which SASL mechanism you are using. In Cyrus SASL, the sasl_authd (sp?) service needs to be active. This is what I recall from what I had done in a postfix setup looooong time ago :)
The only *smtpd* related entry is smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject.
Mails are going as required and only to those in the recipient_access list as required. Now if an employee has left and his/her entries are removed from the postfix box as well as the ISP server mail accounts, the Outlook Express mailer can still send mails as that non-existent user. What I found through more reading of docs is that my OE accounts can send mails even without authentication as I don't have smtpd_auth_enable and the LAN is in my mynetworks parameter. Not a big problem as it is local and under control and the OE account can be deleted for that user. However, why is the ISP allowing this unknown user which postfix is relaying when I have everything set in the smtp_auth_ part of postfix?
After deleting the user did you regenerate the hash file?
Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
No. You are probably authenticating your postfix server with that of our ISP SMTP, with a "particular" username/password or you have requested your ISP to allow relay from your WAN IP (static). In either case the onus is on your smtp server to allow/reject messages at the time when the local smtp client connects to the postfix smtp server in the LAN.
On 06/06/2011 12:33 PM, Arun Khan wrote:
On Mon, Jun 6, 2011 at 1:35 AM, Rony gnulinuxist@gmail.com wrote:
I have been going through various docs on the net about sasl authentication in postfix.
I hope you are referring to postfix's docs and references. Your scenario is a common setup and IIRC there are examples on postifx's site on how to do this.
The problem is that examples are one sided, ie. either they tell you how to set up postfix as a client or a server. In my case it is both as it is a server for OE and client for the ISP.
Have you also enabled relay for the "local" LAN? If yes, then this needs to be disabled.
There is only one relay entry and that is for the ISP smtp.
*All* "local" users need to provide credentials to postfix for accepting emails from local clients.
I had skipped that part as realised later.
This is a good place to start http://www.postfix.org/SASL_README.html if you have not read it.
Also you have not mentioned which SASL mechanism you are using. In Cyrus SASL, the sasl_authd (sp?) service needs to be active. This is what I recall from what I had done in a postfix setup looooong time ago :)
I think it is cyrus.
After deleting the user did you regenerate the hash file?
I do it every time a change is made.
Suppose there is a flaw in my settings, shouldn't the ISP's mail server reject those mails when the username and password do not match with their list? That user has been deleted from their server.
No. You are probably authenticating your postfix server with that of our ISP SMTP, with a "particular" username/password or you have requested your ISP to allow relay from your WAN IP (static). In either case the onus is on your smtp server to allow/reject messages at the time when the local smtp client connects to the postfix smtp server in the LAN.
I don't have static IP. Just the regular mtnl triband with dynamic ip. I will post the main.cf file.
On Mon, Jun 6, 2011 at 1:39 PM, Rony gnulinuxist@gmail.com wrote:
On 06/06/2011 12:33 PM, Arun Khan wrote:
On Mon, Jun 6, 2011 at 1:35 AM, Rony gnulinuxist@gmail.com wrote:
I have been going through various docs on the net about sasl authentication in postfix.
I hope you are referring to postfix's docs and references. Your scenario is a common setup and IIRC there are examples on postifx's site on how to do this.
The problem is that examples are one sided, ie. either they tell you how to set up postfix as a client or a server. In my case it is both as it is a server for OE and client for the ISP.
Therefore you have to apply the postfix server side configs (to your LAN clients) and the client side configs where postfix is the "client" to the ISP's smtp server.
Hello,
This is my main.cf file.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
readme_directory = no
# TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client.
# smtpd_milters = inet:localhost:10035 myhostname = My_Hostname mydomain = Fake_Domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = My_Hostname.Fake_Domain.com mydestination = My_Hostname, localhost.localdomain, localhost always_bcc = boss's_email_id smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay_map # ('emailid [isp_smtp]:25' lines one below the other for all users) smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password # ('emailid username:password' lines one below the other for all users) smtp_sasl_security_options = noanonymous relayhost = [smtp_of_isp]:25 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject # ('emailid permit' lines one below the other for all recipients including customers,vendors,etc. No one outside this list can receive any mails from my server) mailbox_command = mailbox_size_limit = 51200000 recipient_delimiter = inet_interfaces = all inet_protocols = ipv4 mynetworks_style = subnet notify_classes = resource, software mynetworks = 192.168.1.0/24, 192.168.0.0/24, 127.0.0.0/8
On Mon, Jun 6, 2011 at 1:51 PM, Rony gnulinuxist@gmail.com wrote:
smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay_map # ('emailid [isp_smtp]:25' lines one below the other for all users) smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password # ('emailid username:password' lines one below the other for all users) smtp_sasl_security_options = noanonymous relayhost = [smtp_of_isp]:25
The above configs are for the "client" side of your postfix setup.
You also need to add the sasl configs for postfix "server" in main.cf i.e.
smtpd_sasl_auth_enable = yes
and the associated parameters.
Please read http://www.postfix.org/SASL_README.html
On 06/06/2011 01:51 PM, Rony wrote:
Hello,
This is my main.cf file.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
readme_directory = no
# TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client.
# smtpd_milters = inet:localhost:10035 myhostname = My_Hostname mydomain = Fake_Domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = My_Hostname.Fake_Domain.com mydestination = My_Hostname, localhost.localdomain, localhost always_bcc = boss's_email_id smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay_map # ('emailid [isp_smtp]:25' lines one below the other for all users) smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password # ('emailid username:password' lines one below the other for all users) smtp_sasl_security_options = noanonymous relayhost = [smtp_of_isp]:25 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject # ('emailid permit' lines one below the other for all recipients including customers,vendors,etc. No one outside this list can receive any mails from my server) mailbox_command = mailbox_size_limit = 51200000 recipient_delimiter = inet_interfaces = all inet_protocols = ipv4 mynetworks_style = subnet notify_classes = resource, software mynetworks = 192.168.1.0/24, 192.168.0.0/24, 127.0.0.0/8
Any ideas, anything missing, any suggestions?
On Mon, Jun 6, 2011 at 12:33 PM, Arun Khan knura9@gmail.com wrote:
Have you also enabled relay for the "local" LAN? If yes, then this needs to be disabled.
I am not 100% sure about this.
-
Amish Munshi -
Arun Khan -
Raj Mathur (राज माथुर) -
Rony