----- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> ---------
Date: Thu, 27 Apr 2017 15:07:02 +0000
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: postfix-users@postfix.org
Subject: Re: SASL auth only on port 25
To: postfix-users@postfix.org
On Thu, Apr 27, 2017 at 11:51:06PM +1000, Simon Wilson wrote:
1. At the moment when a bot knocks on the postfix server I see
postfix/smtpd[pid] etc. in maillog: can that message show if the knock is on
port 25 or 587?
Sufficiently new versions of the stock Postfix master.cf file have:
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# ...
You would use that, but I believe this requires Postfix 2.4 or
later, as in 2.3 the master.cf option overrides take place after
logging is already configured, and this setting has no effect.
2. Is my config correct for my desired outcome (below)?
extract from master.cf:
# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
Looks fine.
# submission port
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
In the stock Postfix 3.3-dev master.cf (commented out) submission
entry, we have:
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
Most of these are applicable to a large range of releases, likely
including what ships with your newer O/S.
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
An empty CAfile for the SMTP server typically works better. After
all you're not (and typicall SHOULD NOT be) requesting client certs.
Just make sure your cert file contains a complete chain, not just
the leaf certificate.
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
Looks fine. The last setting is unnecessary.
--
Viktor.
----- End message from Viktor Dukhovni <postfix-us...@dukhovni.org> -----
Lots of great information in there, thanks Viktor. Shame about the
logfile entry only being in 2.4 and later, but I'm really only
'fixing' this old box prior to going live on the new box and
understanding what it does, so that will work fine on the new Postfix
config.
Thanks all for responses.
Simon
--
Simon Wilson
M: 0400 12 11 16
