Thanks for this, this is getting me on track, comments interspersed
below...
On Apr 24, 2009, at 6:51 AM, Jorey Bump wrote:
Scott Haneda wrote, at 04/24/2009 07:58 AM:
I am a little confused about main.cf and master.cf. Is there
overlap in
some of the settings? Do some settings exist in both files, or at
least
are interchangable? If this is the case, under what conditions do
you
decide to do so?
From master(5) [http://www.postfix.org/master.5.html]:
-o name=value
Override the named main.cf configuration
parameter. The parameter value can refer to
other parameters as $name etc., just like in
main.cf. See postconf(5) for syntax.
As implied, it's useful when you need to override the settings in
main.cf to get different behaviour appropriate to the service you're
setting up in master.cf (submission, reinjection from proxy/filter,
etc.).
I have a little affliction against man type pages, they never seem to
make a lot of sense to me :) This section does though. Just to be
clear, this is a full blown over-ride, in that deleting the
corresponding value from main.cf would do nothing to the server, so
long as it exists in master.cf?
[snip...]
I am willing to disallow user connection to port 25. How do I do
this?
In main.cf or master.cf? Right now, I believe I only have this:
[snip... master.cf ]
smtp inet n - n - - smtpd
I believe I need to add a restriction in there to stop clients from
connecting?
There was a recent thread on this subject, worth reading:
http://www.mail-archive.com/postfix-users@postfix.org/msg06230.html
Nice, thanks again, that was very telling. I will use that as a
reference on how to best set this up, I think I still have some
general questions below, as a result of my never having dealt with SSL/
TLS other than on ftp servers and SSL in the http space.
For port 587 submission, I want to offer SSL, TLS, and non
encrypted to
cover the users who will not want to change their settings. I can
not
seem to get this to work, it is either no encryption, or forced
encryption.
[snip... master.cf ]
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated
-o milter_macro_daemon_name=ORIGINATING
Use:
-o smtpd_tls_security_level=may
-o smtpd_tls_auth_only=no
I think it's normally a bad idea not to enforce TLS on the submission
port, but if you're using a secure mechanism and want to prevent
weaker
ones, add:
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
If you do not like a lack of TLS enforcement on the submission port
what do you suggest for users who just do not care enough to use any
TLS? You let them work on port 25? I could go that route, but I am
really trying to find a way to do traffic isolation. If I know no
client connections are made on 25, from a troubleshooting perspective
alone, it seems to make things simpler on me.
My mailserver has a setting where I can disable auth on port 25.
Maybe I will do this pre-migration, which would allow me to force all
my users to change to port 25. The hobbly little server I am using
now does not offer any way for me to look and see what users are
connecting on 25 still. I think most are on 587 as a result of most
ISP's filtering 25.
Maybe a little tcpdump would get me those numbers.
* Do I even need the milter line?
Good question. It may depend on whether or not you use milters. I
don't,
but I leave it in because I don't want issues later if I decide to
deploy a milter.
Quick research seems to lead me to believe milter is for mail
filtering, hence the name. Since I plan to have a proxy sit in front
of my system, it should be safe to never use milter at all?
I may want to auto file IMAP email to a junk mail folder, but I
believe that would be done in dovecot, not postfix.
Port 465, I believe will be reserved exclusively for SSL? Port 587
does
the TLS, is that correct? Or is the SSL just wrapping around the
TLS?
[snip... master.cf ]
465 inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
This is for legacy support. I suggest you don't activate it until
you're
sure you need it. Wrapper mode is different from offering STARTTLS.
Nearly all modern clients support STARTTLS. If someone absolutely
needs
port 465, that could be a red flag that the user needs an upgrade.
However, some webmail programs might have poor support for STARTTLS,
forcing you to enable smtps if you require an encrypted connection.
Glad you brought up webmail. I am going to use Roundcube, on the same
machine, worst case, on a close machine, in the same subnet. Since I
have the nynetworks setting set to allow mail, all should be ok? I do
not want to deal with AUTH for SMTP in webmail, it is going to be
local to local, I see no point in securing that part. Is that correct?
I am confused about your comments about 465. Reading it makes me
think that 465 is sort of a last resort option. I am not
understanding the difference between SSL and TLS. If I was setting up
a email client, and could use TLS versus SSL, my logic would be to use
SSL, it seems the better option, but I do not know why.
Are you saying SSL email is the lesser of the options, and I should
use TLS when I can?
So the ideal situation is using TLS on a non 25 submission port?
Do you know how this related to Apple Mail? There is no setting in
the SMTP section to opt for SSL versus TLS? "Use SSL" is the only
checkbox there is. I take it if you do not select that, it will use
TLS if it can, but do so in a invisible way?
It probably is this setting that has lead me down the road of thinking
SSL is better, as Apple Mail offers what appears to be no encryption,
or SSL, there is no implicit TLS setting.
Looking at Outlook settings:
http://www.math.uwaterloo.ca/mfcf/announcements/images/outlook2.png
It appears in the same case, SSL is going to be selected, as the
better way, I see no way to use TLS. Maybe I am not groking any of
this, any brief explanation of this sure would help.
In Apple Mail, there are auth options of ntlm, md5 Challenge-Reponse,
Kerberos, and Password. In Thunderbird I notices there are no such
options. Which are used in Thunderbird? What is the best to use,
or is
it only applicable if you are choosing to not use SSL/TLS?
Thunderbird has a "Use secure authentication" checkbox that supports
multiple mechanisms (independent of SSL/TLS). Unfortunately, *it*
decides which one to use, which I find very frustrating.
I am glad you brought up "Use secure authentication", what exactly
does this setting do? In Thunderbird, there is none, optional TLS,
and SSL, and then this "use secure auth" setting. That is a lot of
control, and totally unclear on what setting in postfix that secure
auth checkbox is going to run up against.
Apple Mail does not even have such a setting, so I assume it is one of
the encryption modes that kicks it in?
I'm happy for
mail clients to select the best mechanisms available for easy
autoconfiguration, but it would be nice to have the ability to set
them
explicitly (for troubleshooting or security reasons).
In any case, it's good practice to check this box if the server
supports
secure mechanisms, for a little extra protection beyond SSL/TLS.
What more do I need to do in postfix cf files to support this
setting? Any downsides as far as performance and load?
I have been pretty up and down the docs, this is somehow not making a
lot of sense. I think once I understand what crosses over in config
from main.cf and master.cf, it will make more sense.
postconf -n
smtp_tls_cert_file = /opt/local/etc/ssl/certs/dovecot.pem
smtp_tls_key_file = /opt/local/etc/ssl/private/dovecot.pem
If you're not using client certificate authentication (and you
probably
aren't), delete those lines.
Well now you threw me for a loop :) I am a small ISP, and I will buy a
emailserver.company.example.com SSL cert. As it is now, in email
clients, I get a box pop up asking me to approve my current self
signed one as a non known untrusted authority. I just select accept
always and move on.
So removing those certs above just removes the certificate trust
issue, but does not change any of the encryption methods I have going
on? In apache, I can not enable SSL, as far as I know, without a
cert. I was under the impression, if I want to offer SSL, I am going
to need those certs?
smtp_tls_security_level = may
This is good.
Thanks. I am going through each config option and reading on each
one, trying to get to a default fallback for as many as possible, and
then understanding the rest that I have to have.
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination permit
You can remove permit_sasl_authenticated from here if you don't want
to
offer authenticated submission on port 25...
In my context of using Dovecot, and not using the cyrus sasl thingy,
where I see mention of _sasl_ in a config line, that is in reference
to both SSL and TLS?
smtpd_sasl_auth_enable = yes
...and change this to no (or remove the line, as no is the default).
Thanks, I will have to look up this setting again.
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
I'd probably leave these in main.cf, just to keep master.cf simple,
but
it's your choice. Also, you can probably drop
smtpd_sasl_exceptions_networks, as it won't make sense if you disable
SMTP AUTH on port 25 and require authentication on port 587.
Thanks so much for this. As a side note, there are not a lot of
people running postfix with dovecot on OS X Client. Postfix of course
is default in OS X Server. This is all a result of me trying to built
out a one command port installer for both, on OS X. I finally have it
mostly working, but want to get a "sane" set of config options that I
can point people to as a basis to start.
--
Scott * If you contact me off list replace talklists@ with scott@ *
