Wednesday, February 24, 2010

securing postfix - smtp auth on port 587 only

SkyHi @ Wednesday, February 24, 2010
Story:
I have postfix running on an Ubuntu system, handling the e-mail for a handful of users. Currently I tell people to send e-mail using SMTP with authentication on port 587 with TLS enabled - which is what I want.

However the server also accepts mail on port 25 with authentication and no TLS. I want to change this so port 25 is used only for my server to receive mail from elsewhere (other servers). I want my users to be able to send on port 587 with TLS etc. ONLY.

Solution:
leto leto is offline
Junior Member

Here is my main.cf as well. I think I can identify more specifically what you need.

Code:
myhostname = ws1.node.example.com
mydomain = node.example.com
mynetworks = 127.0.0.1/32
mydestination = ws1.node.example.com localhost
inet_interfaces = ws1.node.example.com 127.0.0.1
virtual_alias_maps = hash:/vhosts/etc/postfix/virtual_alias_maps
virtual_gid_maps = hash:/vhosts/etc/postfix/virtual_gid_maps
virtual_uid_maps = hash:/vhosts/etc/postfix/virtual_uid_maps
virtual_mailbox_domains = hash:/vhosts/etc/postfix/virtual_mailbox_domains
virtual_mailbox_maps = hash:/vhosts/etc/postfix/virtual_mailbox_maps
virtual_mailbox_base = /vhosts/maildirs
smtpd_sender_login_maps = hash:/vhosts/etc/postfix/smtpd_sender_login_maps


smtpd_helo_required = yes

smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unauth_destination, reject_unknown_hostname, reject_unknown_sender_domain, reject_unknown_client, permit_auth_destination, check_policy_service unix:postgrey/socket, reject_rbl_client xbl.spamhaus.org, reject
And again for completeness, the relevant part of master.cf.

Code:
submission inet n       -       n       -       -       smtpd<br />        -o smtpd_etrn_restrictions=reject<br />        -o smtpd_sasl_type=dovecot<br />        -o smtpd_sasl_path=private/auth<br />        -o smtpd_sasl_auth_enable=yes<br />        -o smtpd_reject_unlisted_sender=yes<br />        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
Whether you are running virtual mailboxes or local, the key here is the line 'smtpd_recipient_restrictions'. There are lots of directives like that in postfix, and lots of advice you can read about which ones to use, but for a start stick to just this one. Learn about the rest later here http://www.postfix.org/SMTPD_ACCESS_README.html.

You can see that in main.cf I have 'smtpd_recipient_restrictions' set with things like 'reject_*' to reject messages that fail various checks, and I have 'permit_auth_destination' which allows locally delivered mail. Everything else is rejected. This is the baseline, nothing but locally deliverable mail.

Now we move on to 'master.cf'. Once you have your 'main.cf' right you could almost copy what I have (at your risk obviously). But again here the key is 'smtpd_recipient_restrictions', which is set to 'permit_mynetworks' so that local senders can forward mail (you may not want this), but more importantly 'permit_sasl_authenticated', which allows authenticated users. All other email is rejected. This overrides the setting in main.cf.

All in, this means that the standard SMTP service on port 25 will use the default setting of local delivery only, and the SMTP service on the submission port 587 will override the setting to only allow authenticated senders.

I hope this helps...


REFERENCE:
http://www.howtoforge.com/forums/showthread.php?t=20116
http://dkimproxy.sourceforge.net/postfix-outbound-howto.html