Re: Disable sending mails via telnet
Problem solved. Using smtpd_sender_login_maps and pcre with domain checking against logged user... Thanks for the help. Regards to all... Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
On 10 Jan 2012, at 16:56, Dennis Carr wrote: On Tue, 10 Jan 2012, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... If you mean the act of disabling the ability of using a telnet client to connect to port 25, you're best not doing this - or, just set any session timeouts to something short to prevent manual interaction. I hope that is simply an offhand random thought and not something you've actually done. Reducing timeouts to the point where they would seriously interfere with people doing manual SMTP will almost certainly mean failing to comply with the SMTP standard and would carry a real risk of blocking legitimate mail. While it is true that most SMTP transport happens as fast as the sender can get 2xx responses, it does not always work that way. Also: when you diverge from the standard for no compelling reason you will find sympathy with any interop problems to be in short supply. -- Bill Cole
Re: Disable sending mails via telnet
Bill Cole: On 10 Jan 2012, at 16:56, Dennis Carr wrote: If you mean the act of disabling the ability of using a telnet client to connect to port 25, you're best not doing this - or, just set any session timeouts to something short to prevent manual interaction. I hope that is simply an offhand random thought and not something you've actually done. Reducing timeouts to the point where they would seriously interfere with people doing manual SMTP will almost certainly mean failing to comply with the SMTP standard and would carry a real risk of blocking legitimate mail. While it is true that most SMTP transport happens as fast as the sender can get 2xx responses, it does not always work that way. Also: when you diverge from the standard for no compelling reason you will find sympathy with any interop problems to be in short supply. By default, Postfix plays time limit games only under overload conditions. The timeout settings are: smtpd_per_record_deadline Overload: yes Normal: no smtpd_starttls_timeout Overload: 10s Normal: 300s smtpd_timeout Overload: 10s Normal: 300s The per-record deadline feature (Postfix = 2.9) changes timeout behavior from time limit per read operation to time limit per command, meaning the entire command must be received within the deadline. Wietse
Re: Disable sending mails via telnet
I´m testing a server, so I need to unable people[users], to connect via telnet[smtp.mydomain.com:25] to the mail server. 2012/1/10 Leslie León Sinclair les...@electrica.cujae.edu.cu: Can anyone point me in the right direction, I´m stucked here and Google is not helping... define telnet here, do you mean: direct connection to port 25? or an *actual* telnet session (port 23). Ildefonso. Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
Telnet the protocol in port 25... On Tuesday, January 10, 2012, 16:45:25, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... TELNET the Protocol or a telnet client? Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
Sorry my mistake, I´m punishing myself right now, by the way I asked here in the list, but I was tired dealing with this problem. Reading yesterday´s mail now... I feel like a barbarian... It´s not gonna happen again, or at least, I will try. Good day to all... Welcome to the postfix-users mailing list. Upon subscribing, you should have received a message explaining how to ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
Leslie Le?n Sinclair: I?m testing a server, so I need to unable people[users], to connect via telnet[smtp.mydomain.com:25] to the mail server. So it is OK if they connect to your server with netcat, openssl s_client, any script written in Perl, Python, PHP, Javascript, with a real email client, with a botnet zombie, and so on? Wietse
Re: Disable sending mails via telnet
[ top-posting fixed, please do not do that here ] On Wednesday 11 January 2012 07:23:46 Leslie León Sinclair wrote: On Tuesday, January 10, 2012, 16:45:25, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... TELNET the Protocol or a telnet client? Telnet the protocol in port 25... Google is not helping because apparently you do not know what you are asking, nor have you yet understood the other posts in this thread. People can use telnet(1), the application, as a simple TCP text client. That application can connect directly to a SMTP server. If the user knows how to speak SMTP, the user can send mail. Postfix does not implement a telnetd(8) server. That would be an example of telnet the protocol. There is NO difference between a person using telnet(1) to speak SMTP or using any other mail client to speak SMTP. (Again, offer void where taxed or prohibited, or if the person does not understand SMTP adequately.) TCP is TCP. What you are asking is not possible. Perhaps you should consider why you think this goal is desirable or important. It is generally far harder to manually speak SMTP to a server than it is to configure a mail client. I use Kmail or mutt(1), myself. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Disable sending mails via telnet
First: I apology bellow about my yesterday´s behavior. My issue: I have a postfix[Debian] server, and it´s working nice, but I need to block people to send mails via telnet[telnet mydomain.com 25], everything is working nice and shiny, error/warning logs are empty, dovecot logging normal, no error so far, but still the issue. Now: I will do a VM with the same config and will test, on other machine, to see some changes in SASL and stuff related and later I post my results with main.cf included. Until then, please do not replys to my mails, I´ll be out for a while... Best regards... Sorry my mistake, I´m punishing myself right now, by the way I asked here in the list, but I was tired dealing with this problem. Reading yesterday´s mail now... I feel like a barbarian... It´s not gonna happen again, or at least, I will try. Good day to all... Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
RE: Disable sending mails via telnet
Just an idea, feel free to correct me. Is there some way within Postfix to implement a timeout on the SMTP conversation? Obviously a user typing HELO, MAIL FROM, RCPT TO etc will be a lot slower than a conversation between two computers. Of course this could break something else, like I said, just an idea. Kind Regards, James Day (IT Engineer) Ontraq Limited Tel: 01245 265100 Fax: 01245 265700 Web: www.ontraq.com -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Leslie León Sinclair Sent: 11 January 2012 13:49 To: postfix-users@postfix.org Subject: Re: Disable sending mails via telnet First: I apology bellow about my yesterday´s behavior. My issue: I have a postfix[Debian] server, and it´s working nice, but I need to block people to send mails via telnet[telnet mydomain.com 25], everything is working nice and shiny, error/warning logs are empty, dovecot logging normal, no error so far, but still the issue. Now: I will do a VM with the same config and will test, on other machine, to see some changes in SASL and stuff related and later I post my results with main.cf included. Until then, please do not replys to my mails, I´ll be out for a while... Best regards... Sorry my mistake, I´m punishing myself right now, by the way I asked here in the list, but I was tired dealing with this problem. Reading yesterday´s mail now... I feel like a barbarian... It´s not gonna happen again, or at least, I will try. Good day to all... Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
On Wednesday, January 11, 2012, 08:58:40, James Day wrote: Just an idea, feel free to correct me. Is there some way within Postfix to implement a timeout on the SMTP conversation? there are numerous mumble_timeout parameters. Obviously a user typing HELO, MAIL FROM, RCPT TO etc will be a lot slower than a conversation between two computers. Of course this could break something else, like I said, just an idea. The suggested (i.e. SHOULD) SMTP timeouts are given in minutes. No human typing the commands is going to have any difficulty. -- r...@polylogics.com The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: Disable sending mails via telnet
On Wed, 11 Jan 2012, Rod Dorman wrote: The suggested (i.e. SHOULD) SMTP timeouts are given in minutes. No human typing the commands is going to have any difficulty. Never underestimate the power (or lack thereof) of a hunt-and-pecker unfamiliar with coputers tasked with doing this. =) -Dennis
Re: Disable sending mails via telnet
On Wed, 11 Jan 2012, Leslie León Sinclair wrote: I´m testing a server, so I need to unable people[users], to connect via telnet[smtp.mydomain.com:25] to the mail server. If you're testing it, your best bet is to either a) bring it up as long as you need to test it, and then shut it down when you don't (ONLY for the purpose of testing), or b) set configuration to only allow mail from localhost - so this way, a user on the machine the server resides on could, in theory, type 'telnet localhost 25', but this assumes that the telnet client is installed thereon Keep in mind, though, that there are people who keep the telnet client on machines that you don't have control of - and in my case, I keep it around to debug occasionally. You won't have control fo those machines, and direct telnet into a SMTP server is really not a security hole. -Dennis
Disable sending mails via telnet
Can anyone point me in the right direction, I´m stucked here and Google is not helping... Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
2012/1/10 Leslie León Sinclair les...@electrica.cujae.edu.cu: Can anyone point me in the right direction, I´m stucked here and Google is not helping... define telnet here, do you mean: direct connection to port 25? or an *actual* telnet session (port 23). Ildefonso. Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: Disable sending mails via telnet
On Tue, 10 Jan 2012, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... If you mean the act of disabling the ability of using a telnet client to connect to port 25, you're best not doing this - or, just set any session timeouts to something short to prevent manual interaction. If you mean disabling the ability to send email while logged in using telnet then your best bet is to disable telnet and use ssh instead. -Dennis
Re: Disable sending mails via telnet
On Tuesday, January 10, 2012, 16:45:25, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... TELNET the Protocol or a telnet client? -- r...@polylogics.com The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: Disable sending mails via telnet
On 01/10/2012 10:45 PM, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu Welcome to the postfix-users mailing list. Upon subscribing, you should have received a message explaining how to ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail -- J.
Re: Disable sending mails via telnet
Am 11.01.2012 00:53, schrieb Jeroen Geilman: On 01/10/2012 10:45 PM, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu Welcome to the postfix-users mailing list. Upon subscribing, you should have received a message explaining how to ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail nice, but do you really think this page is matching for every question people have? signature.asc Description: OpenPGP digital signature
Re: Disable sending mails via telnet
On 01/11/2012 01:10 AM, Reindl Harald wrote: Am 11.01.2012 00:53, schrieb Jeroen Geilman: On 01/10/2012 10:45 PM, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu Welcome to the postfix-users mailing list. Upon subscribing, you should have received a message explaining how to ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail nice, but do you really think this page is matching for every question people have? I did not say that. At the very least, it indicates that questions should contain as much information as you can provide. The OP did not contain a lot to go on. -- J.
Re: Disable sending mails via telnet
On Wed, 11 Jan 2012 01:10:56 +0100 Reindl Harald articulated: Upon subscribing, you should have received a message explaining how to ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail nice, but do you really think this page is matching for every question people have? It is the prescribed method to use by the author of Postfix; therefore, it would seem like a logical place to start. In any case, following the directions posted there would certainly not make solving the problem any harder, especially considering if you knew exactly what the problem was, the cause not the effect, you would not be asking the question to begin with. Just my 2¢. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html signature.asc Description: PGP signature
Re: Disable sending mails via telnet
Am 11.01.2012 01:26, schrieb Jeroen Geilman: On 01/11/2012 01:10 AM, Reindl Harald wrote: Am 11.01.2012 00:53, schrieb Jeroen Geilman: On 01/10/2012 10:45 PM, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu Welcome to the postfix-users mailing list. Upon subscribing, you should have received a message explaining how to ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail nice, but do you really think this page is matching for every question people have? I did not say that. At the very least, it indicates that questions should contain as much information as you can provide The OP did not contain a lot to go on for disable sending mails via telnet you will not find anything on the DEBUG-README and finally the OP has proved enough information to say: * he do not understand how smtp works * telnet does nothing other than any client so NO you can not disable sending mails with telnet except force using TLS signature.asc Description: OpenPGP digital signature
Re: Disable sending mails via telnet
Am 11.01.2012 02:51, schrieb Jose Ildefonso Camargo Tolosa: for disable sending mails via telnet you will not find anything on the DEBUG-README and finally the OP has proved enough information to say: * he do not understand how smtp works * telnet does nothing other than any client so NO you can not disable sending mails with telnet except force using TLS TLS?... I would say: authentication (although TLS is good while using auth). Even with TLS, if you are an open relay, you are an open relay (also, forcing TLS will likely avoid you getting mails from some sites that doesn't support TLS for smtp). who speaks about an open relay? i answered how to prevent using a telnet client for smtp forcing the server only allow encrypted communication will stop telnet youserver 25 and typing a mail i did never say that this makes sense but it is the answer to the question of this thread But, here we are assuming telnet to port 25, what if he/she means remote session, that'd be another issue. so what do you do after telnet to port 25 if the server does not allow send unencypted messages - exactly: nothing problem of the OP solved that he can no longer act as MX properly is another story signature.asc Description: OpenPGP digital signature
Re: Disable sending mails via telnet
On 11/01/12 14:57, Reindl Harald wrote: problem of the OP solved that he can no longer act as MX properly is another story ...and the fact that openssh s_client gets around that block makes your answer completely useless, even though it may be technically correct. The correct answer is that you cannot block telnet access to port 25 without also blocking incoming emails from other MTAs, and so you should not try. Peter
Re: Disable sending mails via telnet
Am 11.01.2012 03:04, schrieb Peter: On 11/01/12 14:57, Reindl Harald wrote: problem of the OP solved that he can no longer act as MX properly is another story ...and the fact that openssh s_client gets around that block makes your answer completely useless, even though it may be technically correct. The correct answer is that you cannot block telnet access to port 25 without also blocking incoming emails from other MTAs, and so you should not try. and you did notice my first reply? did you? for disable sending mails via telnet you will not find anything on the DEBUG-README and finally the OP has proved enough information to say: * he do not understand how smtp works * telnet does nothing other than any client signature.asc Description: OpenPGP digital signature