LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-08-2007, 03:06 PM   #1
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Rep: Reputation: 15
Postfix - howto use smtp auth for external client but not for localhost


Does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?

I couldn't find any hint on how to do that in the postfix docs or on the web

So here is the prob:
Sending mail via a TLS secured connection from my local mail client (thunderbird) via a postfix server on the internet works fine.
Now I also want to send mail using a webmail client (squirrelmail) on the very same server.
However I do not want to use encrypted communication when operating on the server itself (so from localhost) as that does increase serverload but not security. (I consider the loopback as safe

So does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?

Any hint is welcome. Thank you in advance
 
Old 03-09-2007, 06:53 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Here are two examples. The syntax/semantics is postfix-2.3.

Example 1: The only computers allowed to relay are those on the LAN which
establish an encrypted connection.

Code:
mynetworks_style = subnet

smtpd_recipient_restrictions =
  permit_inet_interfaces
  permit_auth_destination
  reject_plaintext_session
  permit_mynetworks
  reject
Example 2: Anyone who can authenticate is allowed to relay, but
authentication is only allowed through an encrypted connection.

Code:
mynetworks_style = host

smtpd_recipient_restrictions = 
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination

#no authentication without encryption
#
smtpd_tls_auth_only = yes

Last edited by Berhanie; 03-09-2007 at 06:58 PM.
 
Old 03-10-2007, 05:28 AM   #3
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
Unhappy

Thanks so far
but the Problem I try to solve is how to allow UNENCRYPTED connections from LOCALHOST while AT THE SAME TIME forcing connections from authenticated external clients to use an (TLS) ENCRYPTED connection

So right now my config (also postfix 2.3 by the way) resembles the second example and does not allow for unencrypted connections from localhost
 
Old 03-10-2007, 10:49 AM   #4
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Seems to me the second example does everything that you want. What's the problem?

In case it wasn't clear, the following is an elaboration on Example 2:
Code:
mynetworks_style = host

# sasl
#
smtpd_sasl_auth_enable = yes

# tls
#
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /usr/local/etc/postfix/cert.pem
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = 
  btree:/usr/local/etc/postfix/smtpd_tls_scache

smtpd_recipient_restrictions = 
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination

Last edited by Berhanie; 03-10-2007 at 04:14 PM.
 
Old 03-11-2007, 07:30 AM   #5
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
Exclamation

@Berhanie: Thank you again for your answer
In fact I hope you are right and I just don't (yet see how this could be the solution.

And here is why:
The problem stems from

Code:
smtpd_tls_auth_only = yes
I also use that. And I want to use it, to force external clients to use an TLS-encrypted connection.
HOWEVER, this is exactely the line that keeps the users on the box itself (localhost) from beeing able to use an UNENCRYPTED connection.

So that is what I need:

1.) external clients = force use of TLS
2.) (at the samt time) localhost = do not use TLS at all

However "smtpd_tls_auth_only = yes" forces users on localhost to use TLS as well (an thus creating unnecessary load on the server by encrypting the loopback connection )

 
Old 03-11-2007, 12:37 PM   #6
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
"smtpd_tls_auth_only = yes" only tells postfix to announce AUTH after TLS has been established. It does not enforce TLS. The strategy is to enforce authentication, which we do through smtpd_recipient_restrictions. Notice that localhost is exempt from having to authenticate since mynetworks is listed first in smtpd_recipient_restrictions. But you might have some other restriction somewhere in your main.cf giving us problems. Please post the output of "postconf -n".
 
Old 03-12-2007, 11:16 AM   #7
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
Smile

Ah great, so I got it wrong and a solution is in sight. Thanks a lot, Berhanie

In fact I didn't know that position matters in smtpd_recipient_restrictions However, I put mynetworks first but that didn't work for me.
Localhost still seems to want encrypted communication.

The output of "telnet localhost smtp"

ehlo localhost

is:

250-myserver.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


Here is my result of postconf -n (I changed the entries in <> for security reasons)

Code:
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports = 
disable_dns_lookups = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 127.0.0.1 ::1 <myIP>
inet_protocols = all
mail_spool_directory = /var/mail
mailbox_command = 
mailbox_size_limit = 0
mailbox_transport = 
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = 
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain
myhostname = <box1.example.com(my FQDN)>
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains = 
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_relay_domains
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = </path/to/ca-cert.pem>
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = </path/to/crt.crt>
smtpd_tls_key_file = </path/to/key.key>
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:<gid>
virtual_mailbox_base = </path/to/Maildirs>
virtual_mailbox_domains = <xxx.xxx xxx.xxx ...>
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = hash:/etc/postfix/uidmap
@Berhanie: It would b egreat if you could tell me if there is something wrong with my main.cf and/or how to change it to force AUTH and ENCRYPTION to external users, while allowing users on localhost to connect UNENCRYPTED (while still forcing them to AUTH).


Last edited by rahmmandel; 03-12-2007 at 11:23 AM.
 
Old 03-12-2007, 10:41 PM   #8
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
In fact I didn't know that position matters in smtpd_recipient_restrictions
There's your next assignment, then: read the documentation!

Quote:
...force AUTH and ENCRYPTION to external users, while allowing users on localhost to connect UNENCRYPTED (while still forcing them to AUTH).
That's slightly different, then. You really should have made clear that you wanted connections from localhost to authenticate.

Since you also want authentication without encryption enabled, you cannot use "smtpd_tls_auth_only = yes" anymore. Here's what your main.cf might look like for your new requirements to work:


Code:
#being strict on mynetworks isn't important for this setup, but:
mynetworks_style = host

# sasl
#
smtpd_sasl_auth_enable = yes

# tls
#
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /usr/local/etc/postfix/cert.pem
smtpd_tls_session_cache_database = 
  btree:/usr/local/etc/postfix/smtpd_tls_scache

smtpd_recipient_restrictions = 
  #allow anyone sending to us:
  permit_auth_destination
  #otherwise, allow authenticated connections from localhost
  check_client_access hash:/usr/local/etc/postfix/access_client
  #otherwise, demand both authentication and encryption:
  reject_plaintext_session
  permit_sasl_authenticated
  reject
/usr/local/etc/postfix/access_client should look like this:
Code:
# connections from 127.x.x.x must authenticate
127  permit_sasl_authenticated, reject
Note:
1. The reject isn't necessary in the access_client table, but it does tell the client that the rejection occurred because of an access table restriction.
2. smtpd_recipient_restrictions applies only to smtp connections. Local users can still submit mail through postdrop and be free from any restriction. Read the documentation to learn how to restrict that.

Finally don't forget to postmap the access_client table.

Last edited by Berhanie; 03-12-2007 at 10:56 PM.
 
Old 03-15-2007, 09:44 AM   #9
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
@Berhanie: thanks a lot for your help and pls excuse that I didn't mention before that I also want the users on localhost to authenticate.

Concerning your solution. I gave it a try, changed main.cf accordingly, created access_client, postmaped it, reloaded postfix

but it didn't work out for me

Problem is, if I disable smtpd_tls_auth_only = yes
my external client can authenticate via an unencrypted (non-TLS) connection.

Which part in your suggested config ensures that external users have to use TLS (and AUTH)?

If the use of TLS is not mandatory, squirrelmail 1.4.9a (authenticated users sending mail from localhost) works. But that used to work before whenever I didn't enforce the use of TLS...

I would be glad if you could answer my question above. If you have any further suggestions they are welcome.
If not I can't blame you. I am lost the hope to get this working myself
Anyway pls. answer the bold typed wuestion above. Perhaps I can hunt down the prob with that information.

btw. in my log I found the following warning:
unknown smtpd restriction: "reject_plaintext_session"
I tried without it. Didn't work either.
 
Old 03-15-2007, 09:56 AM   #10
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
Oh btw. to authenticate I use LOGIN (so plaintext)
IMHO its OK to use an unencrypted/insecure plaintext mechanism within a secure/encrypted connection (TLS)
 
Old 03-15-2007, 12:32 PM   #11
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Hi, rahmmandel.

Quote:
unknown smtpd restriction: "reject_plaintext_session"
That's the restriction that forces outside users to use encrypted sessions. Are you sure you're using postfix 2.3? That might be your problem. Check the output of
Code:
postconf mail_version
Quote:
IMHO its OK to use an unencrypted/insecure plaintext mechanism within a secure/encrypted connection
Yes.
 
Old 03-15-2007, 06:04 PM   #12
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
Postfix reports the version to be 2.3-20051106

However this piece of software is giving me a hell of a hard time.

In the docs (http://www.postfix.org/TLS_README.html) for example it says that "smtpd_tls_security_level = may" (Postfix 2.3 and later) is an equivalent to "smtpd_use_tls = yes" (which is obsolete but still supported).

However, if I substitute
"smtpd_use_tls = yes"
for
"smtpd_tls_security_level = may"
an external client gets the message that the server does not offer STARTTLS in its EHLO response.

Man, if that postfix thing is not starting to behave soon, I'll leave it for qmail
 
Old 03-15-2007, 08:02 PM   #13
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
I think you're using an old development (experimental and not fully-functional) version of 2.3, i.e. you're not using 2.3. You should use the stable version, now postfix-2.3.8. There was a lot of work done in the way of TLS between postfix-2.2 and postfix-2.3, so it's not suprising your problems involve TLS. Apart from that, there's also a possibility you had a syntactic error in main.cf (I hope you entered the parameters exactly as I posted them, paying attention to spaces signifying continuation lines: spaces in the beginning of a line which continues a previous line).
 
Old 03-18-2007, 07:22 PM   #14
rahmmandel
LQ Newbie
 
Registered: Jan 2007
Posts: 23

Original Poster
Rep: Reputation: 15
@Berhanie: yes I did not have any typos in my config Anyways you are probably right, I should update and try again. Anyway that webmailing thing is a pretty low priority project, so it will have to wait a couple of days. If things don't work out I may succeed in contacting you again. It would be great if you would stay subscribed to this thread.

But in any case I would like to thank you very much for your help so far
And of course for hanging in with me until today )
 
Old 03-18-2007, 10:45 PM   #15
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
It's been my pleasure, rahmmandel. I hope to see you around again. Good luck with your project.
(I'm subscribed: posting to a thread causes automatic subscription.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail SMTP AUTH Howto SiegeX Slackware 168 03-05-2014 11:00 AM
postfix with smtp auth cccc Debian 1 09-15-2006 07:47 PM
Postfix SMTP AUTH (and TLS) HOWTO tommytomato Linux - General 2 05-24-2006 10:00 AM
postfix and smtp auth FragInHell Linux - Software 2 10-05-2005 06:23 AM
Postfix SMTP AUTH NetScripter Linux - Software 0 10-23-2002 01:53 AM


All times are GMT -5. The time now is 10:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration