# [Solved] Postfix + securing up the mailserver.

## Kattsand

Got some issues with my emailserver atm.

I´m using Postfix + Dovecot + Squirrelmail setup. 

As SMTP server to send mail I´m using my ISP´s SMTP.

The problem now for me is the free access to Postfix via Telnet, anyone can login and start sending mails .. not outgoing thou but to accounts on local machine.

it works perfectly to both mail too the server and from the server (Squirremail)

Read some articles on SASL auth and I´m very unsure on how to implement it.. I´m pretty sure that my ISPs SMTP server is some kind of open relay since I dont have to auth against it with my Postfix so I basically only need SASL/somekind of secure auth to be applied on the telnet sessions (and probably with Squirrelmail too ?!, encrypted mail access for the users via web would be nice  :Smile:  ). 

And another issue, my server is not (anymore) logging outgoing mail.. it did early when I configured the programs but not anymore, incoming mails are logged correctly.

postconf -n

```

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

home_mailbox = .maildir/

html_directory = /usr/share/doc/postfix-2.5.5/html

inet_interfaces = all

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain

mydomain = domain.net

myhostname = domain.net

mynetworks = 127.0.0.0/8

mynetworks_style = host

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.5.5/readme

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_local_domain = $myhostname

unknown_local_recipient_reject_code = 550

```

dovecot -n

```
# 1.1.1: /etc/dovecot/dovecot.conf

base_dir: /var/run/dovecot/

log_path: /var/log/dovecot.log

info_log_path: /var/log/dovecot.info

protocols: imap

ssl_cert_file: /etc/ssl/dovecot/server.pem

ssl_key_file: /etc/ssl/dovecot/server.key

disable_plaintext_auth: no

login_dir: /var/run/dovecot/login

login_executable: /usr/libexec/dovecot/imap-login

mail_privileged_group: mail

mail_location: maildir:~/.maildir

mail_debug: yes

auth default:

  mechanisms: plain login

  passdb:

    driver: pam

    args: -session *

  userdb:

    driver: passwd
```

Any good advice is appreciated.Last edited by Kattsand on Wed Sep 24, 2008 2:52 pm; edited 1 time in total

----------

## magic919

Do you want to receive email via Postfix?

----------

## Kattsand

I suppose so.. isnt that the case atm?

edit: just realised that mails between local accounts are sent throu my ISP SMTP and then back to the local mailserver, not a desireable situation either I guess. postfix should handle local mails at local level, sounds logical for me at least.

----------

## steveb

 *Kattsand wrote:*   

> I suppose so.. isnt that the case atm?

 Depends what IP's you have active on that system. Does the system have direct access to the internet? Is it listening on a public IP or is it sitting on a private network?

// SteveB

----------

## Kattsand

the mailserver is directly connected to the net with its own IP adress.

----------

## steveb

 *Kattsand wrote:*   

> the mailserver is directly connected to the net with its own IP adress.

 And domain for that connection is the one you own or something else? Assume I send you a mail to your domain, then is it your Postfix system getting the mail or is it your ISP getting the mail and you then fetch that mail from your ISP or you forward the mail from your ISP to your Postfix instance?

// SteveB

----------

## Kattsand

yes I own my own domain which I´m using atm for this purpose.

Postfix can get my incoming mails directly from other servers, like from hotmail but I cant mail directly from my server to others since port 25 is blocked by the ISP, must use their SMTP server as a gateway.. work fine.

but I´m a little bit confused about the role of Postfix .. since its a Mail Transport Agent its handling both my incoming and outgoing mails right?

( it still doesnt log outgoing mails, only incoming.. )

Also; the only place where my ISP smtp server is defined is in */squirrelmail/config/config.php as:

```
$smtpServerAddress      = 'smtp.bredband.net';
```

Last edited by Kattsand on Mon Sep 22, 2008 9:59 pm; edited 1 time in total

----------

## steveb

Okay. I see now. Yes. Postfix does probably both (inbound and outbound). The only limitation you have from the other "normal" Postfix setups is that you must use your ISP mail server for outbound. So your ISP mail server acts as an smart host.

As for the logging: Post your master.cf file here.

btw: Tjena, tjena.  :Smile:  (Yes! I used to work for 2 years during the week in Stockholm. Flying all Friday night back to Zürich and on Monday morning back to Stockholm)

// SteveB

----------

## Kattsand

hej hej ^^

here it comes (havent touched it once..):

```
smtp      inet  n       -       n       -       -       smtpd

#submission inet n       -       n       -       -       smtpd

#  -o smtpd_tls_security_level=encrypt

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#smtps     inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       n       -       -       smtp

        -o smtp_fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache
```

Skipping the rest since its all commented stuff.

----------

## steveb

How are you transferring mails over to your ISP? Are you not having relayhost or fallback_relay? Or do you use an transport map (I don't see anything in main.cf)?

// Steve

----------

## Kattsand

Wish I could point it out  :Smile:  , the only place where I´ve added my ISP´s SMTP server adress is in 

/var/www/mydomain.net/htdocs/squirrelmail/config/config.php

Edit:

A major breakthrou I think = 

I changed SMTP server in Squirrelmail config.php to my own mailserver and then added to main.cf:

relayhost = $mydomain

relayhost = [smtp.bredband.net]

Now all local mails are delivered locally and finally logging works on both incoming/outgoing mails!  :Smile: 

The last thing to fix is some kind of clientside secure auth for users who tries to telnet to my mailserver, which was the cause for creating this thread  :Smile: 

----------

## magic919

 *Kattsand wrote:*   

> 
> 
> The last thing to fix is some kind of client side secure auth for users who tries to telnet to my mailserver, which was the cause for creating this thread 

 

You can't do this for _all_ clients and continue to receive any and all email from the rest of the world.  I'm sure |Steve will suggest some basic checks in  Postfix.

----------

## steveb

 *Kattsand wrote:*   

> ... added to main.cf:
> 
> ```
> relayhost = $mydomain
> 
> ...

 relayhost should be just one entry. Adding two of them is wrong. So what you should do is:

```
relayhost = [smtp.bredband.net]
```

If you enclose the entry in '[' ']' then MX lookups will be turned off, which is okay for your use case.

 *Kattsand wrote:*   

> Now all local mails are delivered locally and finally logging works on both incoming/outgoing mails! 

  :Smile: 

 *Kattsand wrote:*   

> The last thing to fix is some kind of clientside secure auth for users who tries to telnet to my mailserver, which was the cause for creating this thread 

 What you probably want to do is run Postfix with SASL. Would it be a problem for you to post the DNS name of your system, so we can check if your current install is supporting SASL or other method of identification? Would it be possible for you to connect to your system on port 25 with telnet and then issue the command "ehlo localhost" and then post what Postfix responds (you can quit the telnet session by issuing "RSET" and then "QUIT")? Look for the lines starting with "250". They are the one saying what your server supports. Especially the ones starting with "250-STARTTLS" or "250-AUTH" or "250-AUTH=".

// Steve

----------

## steveb

 *magic919 wrote:*   

> I'm sure Steve will suggest some basic checks in  Postfix.

 It's your thread magic919. You responded the first  :Smile:  Don't leave me now alone here. Your input is very much welcome (at least to me).

// Steve

----------

## belrpr

Securing postfix is easy.

mynetworks = 127.0.0.0/8 

>You can add the private network after the server if any.

Use sasl for external sending.

Sasl will do the authentication of the external user so you can be sure that it is one you trust.

----------

## magic919

 *steveb wrote:*   

>  *magic919 wrote:*   I'm sure Steve will suggest some basic checks in  Postfix. It's your thread magic919. You responded the first  Don't leave me now alone here. Your input is very much welcome (at least to me).
> 
> // Steve

 

That's very kind, Steve.  You're a gent.

Given that Postfix cannot be secured to prevent third parties sending emails to domains for which it is the final destination I'll leave that bit.

I use a many and varied approach to stemming the flow of junk.  DSPAM figures in there, of course.

From main.cf

```

smtpd_helo_required = yes

smtpd_recipient_restrictions =

        permit_mynetworks

        check_helo_access hash:/etc/postfix/helo_access

        check_recipient_access hash:/etc/postfix/spam_recipients

        reject_invalid_hostname

        reject_non_fqdn_hostname

        reject_non_fqdn_sender

        reject_unknown_sender_domain

        reject_unauth_destination

        reject_rbl_client zen.spamhaus.org

        check_recipient_access pcre:/etc/postfix/dspam_incoming

        permit

smtpd_data_restrictions =

        reject_unauth_pipelining

        permit

disable_vrfy_command = yes

#Slowing down bad clients

#The delay time

smtpd_error_sleep_time = 10s

#they get 2 at above then it's above x no of errors

smtpd_soft_error_limit = 2

#And after this number we disconnect

smtpd_hard_error_limit = 5

```

/etc/postfix/helo_access (postmap it)

```

1.2.3.4(server IP)     REJECT Get lost you liar

mail.example.com  REJECT Get lost - that's my name

localhost       REJECT Get lost, we're localhost

localhost.localdomain REJECT Get lost, we're localhost

```

/etc/postfix/spam_recipients (postmap it)  I stick in some addresses I have that _only_ get spam these days.

```

various@example.com    REJECT

spammy@example.com   REJECT

```

/etc/postfix/dspam_incoming - this one makes DSPAM scan for incoming email only, not outgoing as well as a content_filter would.

 *Quote:*   

> 
> 
> /./     FILTER dspam:unix:/var/run/dspam/dspam.sock
> 
> 

 

Use of the RBL is contentious, but works for me.  Other restrictions seem fairly benign for me, but YMMV.  I'm sure discussion will ensue  :Smile: 

----------

## Kattsand

hehe thanks for all the replies, all help is very welcome of course  :Smile: 

when doing postconf -n the "relayhost = $mydomain" is not visible so I guess postfix didnt include it but I´ve removed it now.

relayhost = smtp.bredband.net is still there ofc.

steveb: sure, my domain is pxsh.net , the server is named meow..

220 meow.pxsh.net ESMTP Postfix

ehlo pxsh.net

250-meow.pxsh.net

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

Will read more about SASL and try to implement it.

----------

## steveb

Cool! I see you implemented SMTP AUTH:

```
220 meow.pxsh.net ESMTP Postfix

250-meow.pxsh.net

250-PIPELINING

250-SIZE 10240000

250-ETRN

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN
```

Perfect. Now if you want better security, then look to get more then just plain text logins. Something like that would be perfect:

```
250-STARTTLS

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
```

// Steve

----------

## Kattsand

it doesnt work, users still have anon access:

emerged cyrus-sasl.

/postconf/main.cf:

```
smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_sasl_security_options = noanonymous

smtpd_recipient_restrictions =

        permit_mynetworks

        check_helo_access hash:/etc/postfix/helo_access

        #check_recipient_access hash:/etc/postfix/spam_recipients

        reject_invalid_hostname

        reject_non_fqdn_hostname

        reject_non_fqdn_sender

        reject_unknown_sender_domain

        reject_unauth_destination

        permit

smtpd_data_restrictions = reject_unauth_pipelining, permit

disable_vrfy_command = yes

smtpd_error_sleep_time = 10s

smtpd_soft_error_limit = 2
```

dovecot/dovecot.conf:

```
auth default:

  mechanisms: plain login

  verbose: yes

  passdb:

    driver: pam

    args: -session *

  userdb:

    driver: passwd

  socket:

    type: listen

    client:

      path: /var/spool/postfix/private/auth

      mode: 432

      user: postfix

      group: postfix
```

edited /etc/sasl12/smtpd.conf:

```
pwcheck_method: saslauthd

mech_list: PLAIN LOGIN
```

and started /etc/init.d/saslauthd

----------

## steveb

 *Kattsand wrote:*   

> it doesnt work, users still have anon access

 What do you mean with "anon access"? They can send mail over your server? They can relay mail over your server? Using what as the sending address?

// SteveB

----------

## Kattsand

anonymous access via telnet, or is it basically impossible to implement auth before a user can use MAIL FROM: / RCPT TO: ??

if the answer is yes then I dont need SASL or similar for my mailserver since it wouldnt solve the problem.

----------

## magic919

Mail servers all over the world allow 'anonymous access' in order to receive email.  You can stop that, but you'd quickly find you get zero email.

----------

## steveb

 *magic919 wrote:*   

> Mail servers all over the world allow 'anonymous access' in order to receive email.  You can stop that, but you'd quickly find you get zero email.

 While this is true you still can prevent users from outside to send mails over your server claiming to be one of your own users. Look for example this (from a remote system connecting to my own server claiming to be postmaster from my own domain):

```
[root@zh-lx12 ~]# telnet mail.mydomain.ch 25

Trying xx.xx.xxx.xxx...

Connected to mail.mydomain.ch (xx.xx.xxx.xxx).

Escape character is '^]'.

220 mail.mydomain.name ESMTP Postfix (2.5.5) [NO UCE, NO UBE, C=CH, L=ZH]

ehlo remote.system.tld

250-mail.mydomain.name

250-PIPELINING

250-SIZE 52428800

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:<postmaster@mydomain.ch>

553 5.7.1 <postmaster@mydomain.ch>: Sender address rejected: not logged in

rset

250 2.0.0 Ok

quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@zh-lx12 ~]#
```

// SteveB

----------

## Kattsand

Ok well I do undestand that but I wanted protection from users who telnets to postfix manually but if its not fixable then theres no need for me to try look for an solution of it.

How come Relay access is denied from telnet sessions? 

220 meow.pxsh.net ESMTP Postfix

MAIL FROM:<test@pxsh.net>

250 2.1.0 Ok

RCPT TO:<jmz@live.se>

554 5.7.1 <jmz@live.se>: Relay access denied

Relay access works when I mail from squirrelmail ... I´m not complaining because its exactly what I want  :Smile: 

edit: 

steveb: thats a nice feature I would like to use.

----------

## elgato319

your config:

```
mynetworks_style = host
```

your local host is "trusted" by postfix. every service that connects via 127.0.0.1 is allowed to relay.

if you telnet to the smtp service than you are treated as an "outsider".

you then must either auth via sasl or use a domain in "RCPT TO" that is allowed to relay

btw: is there a reason why you are using cyrus-sasl if you have dovecot?

postfix can auth against dovecot directly.

----------

## steveb

 *Kattsand wrote:*   

> Ok well I do undestand that but I wanted protection from users who telnets to postfix manually but if its not fixable then theres no need for me to try look for an solution of it.
> 
> How come Relay access is denied from telnet sessions? 
> 
> 220 meow.pxsh.net ESMTP Postfix
> ...

 The reason why it is not allowed with telnet is probably because you telnet from a system to your mail server which is not in mynetworks (which is in your case 127.0.0.0/ :Cool: . So going locally on the server and doing the connection with telnet will result in a allowed relay but if I am going from my system over the internet, then I will fail because Postfix will not allow me to relay (since I am not in 127.0.0.0/8 and I am not handled in your smtpd_recipient_restrictions (which is in your case: permit_mynetworks = nope. I am not in 127.0.0.0/8, permit_sasl_authenticated = nope. I am not authenticated with SASL, ....)

// SteveB

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

----------

## Kattsand

Thanks both of you, Its very clear now.

and the last (newbie) question:

is there a way to stop/reject unauthorized mailing between the accounts via telnet and WITHOUT complicating for other mailservers to mail to it?

Found some interesting parameters for smtpd_sender_restrictions:

http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

----------

## steveb

 *Kattsand wrote:*   

> is there a way to stop/reject unauthorized mailing between the accounts via telnet and WITHOUT complicating for other mailservers to mail to it?

 If you leave your current main.cf, then no other user without having local access to the system where Postfix is running will be able to relay mail to each other.

// Steve

----------

## magic919

The thing to bear in kind is that from the point of view of Postfix it doesn't see any difference between someone using telnet to port 25 and a mail server.  It's the same kind of connect and offers no distinction, sadly.

----------

## Kattsand

damn.., "stop/reject unauthorized mailing between the LOCAL accounts via telnet" I meant .. sorry for not made it clear.

Thats what I must fix before running the postfix service 24/7.

atm anyone/I can telnet & mail from my mail too my mail, maybee not a big issue but it should be fixed.

----------

## magic919

A few points.

1. There's no such thing as between local accounts via telnet.

2.  You can't stop people telnetting in and sending to your local accounts.

3.  However, you could ensure that outsiders (off your network) cannot fake one of your local addresses as a From: address.

I suspect 3 is the one you want.  I've never bothered as such folk get caught by other restrictions in place.  Is this what you are looking to do?

----------

## Kattsand

Yepp scenario 3 you describes is what I´m looking for..

As an example:

```
220 meow.pxsh.net ESMTP Postfix

MAIL FROM:<testmail@pxsh.net>

250 2.1.0 Ok

RCPT TO:<testmail@pxsh.net>

250 2.1.5 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

free for anyone to mail here with my account, maybee not so good?!.

.

250 2.0.0 Ok: queued as B9D8476104
```

Based on you guys experiences with mailservers.. is this something I can set aside and ignore as a potentional threat/spamthreat ?

----------

## steveb

 *Kattsand wrote:*   

> Yepp scenario 3 you describes is what I´m looking for..
> 
> As an example:
> 
> ```
> ...

 Have a look at smtpd_sender_login_maps.

// SteveB

----------

## Kattsand

What smtpd_sender_login_maps offered was the stuff I was after from the beginning... so after many missunderstandings etc we/I can finally call this Solved  :Smile: 

anyone can mail me, I can mail anyone from squirrelmail but users via telnet sessions cant fake a mail from/to me or pretend to be any of my accounts  :Smile:  exactly what I wanted.

Thanks for the help all  :Smile:  , I really appreciated your time spent.

----------

## steveb

 *Kattsand wrote:*   

> What smtpd_sender_login_maps offered was the stuff I was after from the beginning... so after many missunderstandings etc we/I can finally call this Solved 

 Well... I posted already here about the effect of smtpd_sender_login_maps. Anyway... important is, that it works for you.

// SteveB

----------

## Kattsand

Yeah but obviously I´m not a Postfix expert and I didnt thought about googling for "sender address rejected" or similar to find out about smtpd_sender_login_maps.

----------

## steveb

Hey! Easy. I am not complaining  :Smile: 

// Steve

----------

## jamapii

Ok, I posted in the other thread but it seems not so relevant after reading this...

to summarize all the relaying modes:

[*]FROM inside TO inside - keep open

[*]FROM inside TO outside - keep open, let locals send email

[*]FROM outside TO inside - keep open, and let spam filters do their job

[*]FROM outside TO outside - the user must be known and authenticated, otherwise deny relaying

Thanks for the info too, I might use it these days...

----------

