relay from authenticated users only
Hello! I run a simple OpenSMTPD mail server for my own domain on my custom Linux machine. The mail server should dispatch mails for @486.hu addresses locally on the machine. If the recipient is not in the 486.hu domain, it must use my ISP's smarthost to relay. I've successfully managed to create a simple config file to handle these. Unfortunately, relaying is configured so badly that external "visitors" without SMTP authentication can send mails (spams actually) using my OpenSMPTD instance (which happily sends out the mails using my ISP's smarthost, which uses TLS encryption and authentication). I'd like to change somehow the config to let authenticated users only use my OpenSMPTD as a relay. Authentication should be based on the machine's local user and password table (/etc/passwd). I tried "listen on ... auth ..." but it complained about the lack of TLS/smtps. I also tried "accept authenticated ..." without any use (and I believe this is not exactly meant for what I want). Tried "reject ! authenticated ..." without any success. Please help me to assemble a correct config file. I want all SMTP accesses to be rejected if authentication fails against the machine's local user/password table. It shouldn't be possible to use my machine as a relay without successful authentication... Thanks, regards, - /etc/smtpd/smtpd.conf: table cred file:/etc/smtpd/cred listen on eth0 port 25 hostname mail.486.hu listen on localhost port 25 hostname mail.486.hu # Storing mails arriving at the domain '486.hu'. accept from any for domain 486.hu deliver to mbox # If the recipient is out of domain '486.hu', the mail is relayed through the # smarthost using TLS and authentication, see 'cred' file. accept from any for ! domain 486.hu relay via tls+auth://t-onl...@mail.t-online.hu auth - /etc/smtpd/cred (for smarthost authentication): t-onlineusern...@t-online.hu:VERY_SECURE_PASSWORD -- Selmeci Tamás http://www.486.hu/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: relay from authenticated users only
On Tue, 2 Jul 2019 19:53:03 +0200 Thomas Bohl wrote: > > I tried "listen on ... auth ..." but it complained about the lack of > > TLS/smtps. > > That is because you can't use authentication without encryption. Best > you start looking into Let’s Encrypt. Though you could start with a > self-signed certificate. Like it is shown in man smtpd.conf I thought SMTP can be used with plain text authentication too, although it's far from secure. Maybe OpenSMTPD doesn't support this? (due to security reasons...?) > > accept from any for ! domain 486.hu relay via > > tls+auth://t-onl...@mail.t-online.hu auth > > accept from local for any relay via \ > tls+auth://t-onl...@mail.t-online.hu auth > > > That should stop the visitors for now. Yeah, but I can't send mails from my domain to other than 486.hu... -- Selmeci Tamás http://www.486.hu/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: relay from authenticated users only
Somebody suggested me to have a look at OpenSMTPD-extras. It contains table-passwd. I've got an idea. What if I wrote a custom module that is about to be called by OpenSMTPD upon authentication like table-passwd? (table-passwd requires another file to store credentials in, and I insist on using /etc/passwd only). The only question is that is it possible to perform this kind of authentication in plain text? In other words, will OpenSMTPD call my module if plain text authentication is tried by the client? (I don't have enough capacity now to play with self-signed certificates, TLS etc) Yes, I know, there are security concerns... But technically, is it possible with OpenSMTPD? -- Selmeci Tamás http://www.486.hu/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: relay from authenticated users only
On Wed, 3 Jul 2019 10:22:48 +0200 Gilles Chehade wrote: > i don't know what version you are using, what system you are using, if a > package was used or if you built yourself, etc... so i'll just guess the > configure options used to build opensmtpd were not correct if auth isn't > using your system users out of the box. OpenSMTPD-6.0.3p1 compiled by me, self-made embedded linux distribution (kernel 4.18.9) on an Itead-A20 ARM board. I believe auth uses /etc/passwd as it should, but not for plain text attempts. > no, OpenSMTPD will not advertise AUTH over plaintext channels. > > it is not an SMTP limitation, it is a decision we made years ago and you > will not have a work-around for this. That's the answer to my question. So there's no easy way for me to force plain text auth with OpenSMTPD. I'll consider setting up at least self-signed certificates etc. Regards, -- Selmeci Tamás http://www.486.hu/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
forcing SMTP authentication
Hello! In brief: STARTTLS is enabled, there is a self-signed certificate for encryption (better than nothing), smarthost is used to send mails from my domain. My problem is that it still accepts SMTP connections (over TLS) without authentication. What I want: - anybody can send email to my email address in my domain (now it's working); - relaying through my SMTP server is allowed only after successful authentication (now anybody can relay through my server without authentication, e.g. to send spams). Authentication should be based on regular /etc/passwd file (local users of the computer). In order to hide the passwords, STARTTLS should be used; It's a rather simple configuration, but I wasn't able to set it up. If I put 'auth' into the 'listen on' line, it needs authentication to any access of the SMTP server, so other machines (e.g. from google.com) can't send me mails. Using 'authenticated' in 'accept from' directives also didn't do the trick appropriately (it wasn't able to receive any mails at all). Could you please help me out with this? Thanks, regards, --- --- pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt" pki mail.486.hu key "/etc/smtpd/mail.486.hu.key" table cred file:/etc/smtpd/cred listen on eth0 port 25 hostname mail.486.hu tls-require listen on localhost port 25 hostname mail.486.hu tls-require # Storing mails arriving at the domain '486.hu'. accept from any for domain 486.hu deliver to mbox # If the recipient is out of domain '486.hu', the mail is relayed through the # smarthost using TLS and authentication, see 'cred' file. accept from any for ! domain 486.hu relay via tls+auth://t-onl...@mail.t-online.hu auth
Re: forcing SMTP authentication
On Wed, 21 Aug 2019 08:19:24 +0200 Martijn van Duren wrote: > From smtpd.conf(5): > > auth-optional [] > Support SMTPAUTH optionally: clients need not > authenticate, but may do so. This allows a listen on > directive to both accept incoming mail from untrusted > senders and permit outgoing mail from authenticated users > (using match auth). It can be used in situations where > it is not possible to listen on a separate port (usually > the submission port, 587) for users to authenticate. Sounds good, but unauthenticated relaying still works with this... -- Selmeci Tamás http://www.486.hu/
Re: forcing SMTP authentication
On Wed, 21 Aug 2019 06:50:05 + Lévai, Dániel wrote: > No it doesn't, that's the whole point... Very strange. Currently I'm in the office, the mail server is at home. I tried with two mail clients (sylpheed, Evolution) with a fake account to use the mail server without authentication to send email to my gmail address - at it worked all the time. Maybe something went wrong during ./configure? The /var/log/messages logs are attached in a file. Regards, -- Selmeci Tamás Aug 21 09:11:37 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=connected address=217.150.134.30 host=217.150.134.30 Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=starttls address=217.150.134.30 host=217.150.134.30 ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=message address=217.150.134.30 host=217.150.134.30 msgid=4ece59a6 from= to= size=502 ndest=1 proto=ESMTP Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=connecting address=tls://84.2.46.3:25 host=mail.t-online.hu Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a473f710cb686 smtp event=closed address=217.150.134.30 host=217.150.134.30 reason=quit Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=connected Aug 21 09:11:38 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Aug 21 09:11:38 486 mail.err smtpd[13131]: warn: unable to load CA file /etc/ssl/cert.pem: No such file or directory Aug 21 09:11:38 486 mail.info smtpd[13132]: smtp-out: Server certificate verification failed on session 242a4742bfc88a7f Aug 21 09:11:39 486 mail.info smtpd[13132]: 242a4742bfc88a7f mta event=delivery evpid=4ece59a66756afe7 from= to= rcpt=<-> source="192.168.1.153" relay="84.2.46.3 (mail.t-online.hu)" delay=1s result="Ok" stat="250 2.0.0 Ok: queued as Aug 21 09:11:42 486 mail.info smtpd[13132]: 242a474391a6416d smtp event=connected address=209.85.210.43 host=mail-ot1-f43.google.com Aug 21 09:11:43 486 mail.info smtpd[13132]: 242a474391a6416d smtp event=starttls address=209.85.210.43 host=mail-ot1-f43.google.com ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
Re: forcing SMTP authentication
> That last rule is essentially "accept from any for (pretty much) any" so > you have created an open relay. > > Replace the "from any" with "from local" so the rule reads as: > >accept from local for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth > > This should be much better. Thanks, this did the trick! :) I thought when it comes to relaying, "auth-optional" ensures that authentication is already done and the relaying rule is processed according to this. Regards,
