Request For Port 587
Today I received a ticket for altering the way my Postfix server handles mail and I don't understand it. The ticket / request is pasted below: ** According to RFC 4409 client mail submission to an email server is supposed to use port 587. Server to server SMTP relays are to use port 25. When I am not at the office, I can't email via my work (Postfix) account via my iphone or my residential internet because my ISP(s) filter port 25 to only allow traffic to and from their mail servers. They do however allow 587 anywhere per RFC 4409. Additionally I can't email to the IDE with my gmail account, this is becoming a real pain in the ass when I need to send emails with attachments. Just to send this email I am having to relay off my own server in California. Can we please get the proper ports opened on the mail server? http://www.ietf.org/rfc/rfc4409.txt ** Now my question is I just want to be sure I'm correct in assuming that all mail servers send on port 25, correct? This user just is requesting me to allow relay access from his phone carriers network or home ISP which I'm not going to do since this is the reason I manage webmail for users. Does the above request seem legit or strange? I don't know enough about Postfix / mail port 587 to know if this is a legit request. Thanks for any clarification!
Re: Request For Port 587
* Carlos Mennens carlosw...@gmail.com: Today I received a ticket for altering the way my Postfix server handles mail and I don't understand it. The ticket / request is pasted below: ** According to RFC 4409 client mail submission to an email server is supposed to use port 587. Server to server SMTP relays are to use port 25. When I am not at the office, I can't email via my work (Postfix) account via my iphone or my residential internet because my ISP(s) filter port 25 to only allow traffic to and from their mail servers. They do however allow 587 anywhere per RFC 4409. Additionally I can't email to the IDE with my gmail account, this is becoming a real pain in the ass when I need to send emails with attachments. Just to send this email I am having to relay off my own server in California. Can we please get the proper ports opened on the mail server? http://www.ietf.org/rfc/rfc4409.txt ** Now my question is I just want to be sure I'm correct in assuming that all mail servers send on port 25, correct? This user just is requesting me to allow relay access from his phone carriers network or home ISP which I'm not going to do since this is the reason I manage webmail for users. Is he able to relay via port 25 now? Does the above request seem legit or strange? I don't know enough about Postfix / mail port 587 to know if this is a legit request. Legit request. Like he said, he cannot reach port 25, so 587 (submission) is the preferred option. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Request For Port 587
587 is AUTHENTICATED submission and should be preferred since more and more providers blocking spam-bots by clsoing outgoing port 25 for homeusers submission inet n - n - 50 smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject he is NOT requesting to allow relay access, he is requesting ANY access to your smtp-server because he can not use port 25 Am 18.08.2011 14:53, schrieb Carlos Mennens: Today I received a ticket for altering the way my Postfix server handles mail and I don't understand it. The ticket / request is pasted below: ** According to RFC 4409 client mail submission to an email server is supposed to use port 587. Server to server SMTP relays are to use port 25. When I am not at the office, I can't email via my work (Postfix) account via my iphone or my residential internet because my ISP(s) filter port 25 to only allow traffic to and from their mail servers. They do however allow 587 anywhere per RFC 4409. Additionally I can't email to the IDE with my gmail account, this is becoming a real pain in the ass when I need to send emails with attachments. Just to send this email I am having to relay off my own server in California. Can we please get the proper ports opened on the mail server? http://www.ietf.org/rfc/rfc4409.txt ** Now my question is I just want to be sure I'm correct in assuming that all mail servers send on port 25, correct? This user just is requesting me to allow relay access from his phone carriers network or home ISP which I'm not going to do since this is the reason I manage webmail for users. Does the above request seem legit or strange? I don't know enough about Postfix / mail port 587 to know if this is a legit request. Thanks for any clarification! -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature
Re: Request For Port 587
On 8/18/2011 8:53 AM, Carlos Mennens wrote: Today I received a ticket for altering the way my Postfix server handles mail and I don't understand it. The ticket / request is pasted below: ** According to RFC 4409 client mail submission to an email server is supposed to use port 587. Server to server SMTP relays are to use port 25. When I am not at the office, I can't email via my work (Postfix) account via my iphone or my residential internet because my ISP(s) filter port 25 to only allow traffic to and from their mail servers. They do however allow 587 anywhere per RFC 4409. Additionally I can't email to the IDE with my gmail account, this is becoming a real pain in the ass when I need to send emails with attachments. Just to send this email I am having to relay off my own server in California. Can we please get the proper ports opened on the mail server? http://www.ietf.org/rfc/rfc4409.txt ** Now my question is I just want to be sure I'm correct in assuming that all mail servers send on port 25, correct? This user just is requesting me to allow relay access from his phone carriers network or home ISP which I'm not going to do since this is the reason I manage webmail for users. Does the above request seem legit or strange? I don't know enough about Postfix / mail port 587 to know if this is a legit request. Thanks for any clarification! Carlos, This is a direct quote from a bot running in #postfix on freenode: Port 587 is submission, for user submission of mail, NOT suitable for mail exchange. See the commented example in master.cf. also see !msa, and rfc 2476 and 4409. Also read http://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf Also have a look at: http://www.postfix.org/SASL_README.html -Matt
Re: Request For Port 587
* Carlos Mennens carlosw...@gmail.com: On Thu, Aug 18, 2011 at 9:02 AM, Matt Hayes domin...@slackadelic.com wrote: Carlos, This is a direct quote from a bot running in #postfix on freenode: Port 587 is submission, for user submission of mail, NOT suitable for mail exchange. See the commented example in master.cf. also see !msa, and rfc 2476 and 4409. Also read http://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf Also have a look at: http://www.postfix.org/SASL_README.html Thanks! So I would need to modify my 'master.cf' to activly support client to server communication via port 587, correct? Yes, and maybe the firewall -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Request For Port 587
On 8/18/2011 9:13 AM, Carlos Mennens wrote: On Thu, Aug 18, 2011 at 9:02 AM, Matt Hayesdomin...@slackadelic.com wrote: Carlos, This is a direct quote from a bot running in #postfix on freenode: Port 587 is submission, for user submission of mail, NOT suitable for mail exchange. See the commented example in master.cf. also see !msa, and rfc 2476 and 4409. Also read http://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf Also have a look at: http://www.postfix.org/SASL_README.html Thanks! So I would need to modify my 'master.cf' to activly support client to server communication via port 587, correct? Essentially yes. The SASL readme is a good read as well as the example already contained within master.cf -Matt
Re: Request For Port 587
Am 18.08.2011 15:23, schrieb Jeroen Geilman: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? have you ever seen submission as open-relay? if yes - where and why does nonone shutdown this machine? signature.asc Description: OpenPGP digital signature
Re: Request For Port 587
On 2011-08-18 15:27, Reindl Harald wrote: Am 18.08.2011 15:23, schrieb Jeroen Geilman: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? have you ever seen submission as open-relay? if yes - where and why does nonone shutdown this machine? Submission can take place on a trusted local network. This does not make you an open relay. -- J.
Re: Request For Port 587
Am Donnerstag, 18. August 2011, 15:23:28 schrieb Jeroen Geilman: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? Port 587 is AUTHORIZED submission, NOT AUTHENTICATED. A limitation to a local network ist also a kind of authorization. Thomas Berger - Certified Linux/Cisco Networking Engineer - BOREUS Rechenzentrum GmbH Zur Schwedenschanze 2 D - 18435 Stralsund Germany Phone:+49 (0) 38 31 - 36 76 415 Fax: +49 (0) 38 31 - 36 76 615 eMail: t...@boreus.de Internet: http://www.boreus.de/ -- Geschäftsführer: André Jahns, Holger Lebrecht Handelsregister: Amtsgericht Stralsund HRB 5750 Sitz der Gesellschaft: Stralsund
Re: Request For Port 587
On 2011-08-18 17:39, Thomas Berger wrote: Am Donnerstag, 18. August 2011, 15:23:28 schrieb Jeroen Geilman: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? Port 587 is AUTHORIZED submission, NOT AUTHENTICATED. Um, no. RFC 4409, section 4.3 states that an MSA *must* require authentication on connections that are not implicitly trusted (such as a secured local network). SMTP AUTH is the preferred mechanism, but the RFC does not limit authentication to SMPT AUTH. This is now a Draft standard, meaning you'd better follow it (HTML has never progressed beyond a draft standard in the 10+ years that v4.01 is in use) This requirement is updated from RFC 2476, where it was optional, but RFC 4409 is from April 2006 (a good 5 years ago), so let's assume people have read it by now. -- J.
Re: Request For Port 587
On 8/18/2011 11:39 AM, Thomas Berger wrote: Am Donnerstag, 18. August 2011, 15:23:28 schrieb Jeroen Geilman: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? Port 587 is AUTHORIZED submission, NOT AUTHENTICATED. A limitation to a local network ist also a kind of authorization. Either way, we seem to be adding confusion to the original question. I like to 'think about' ports as highway routes. If you are connected to 'bigprovider.com', they know you are a user because you are connected (sent login information), so using 'mail.bigprovider.com' on port 25 is open... the highway route is open inside of the town so to speak. But, there is a roadblock on the edge of town (bigprovider.com) and they have a detour set up to use highway 587 instead, so the only way out of town is route 587. Anyone living in town (on that providers internet connection) must take the detour to get outside to another town (mail.someotherprovider.com). I'm slowly seeing most providers closing port 25, some even one area/region at a time (Verizon comes to mind). So far for my clients, all have 587 available and working when 25 is blocked. If you aren't the internet service provider and if you allow more than only webmail access, you pretty much have to have 587 set up for use both in firewall settings and mailserver conf. Other ports and settings may also be needed for TLS connections which is becoming the default in most email clients these days. A side note... some public connections, like internet cafe's do not allow sending any email through any port. Only webmail works in those locations. I suppose this is a good idea to prevent a visiting spammer from compromising your reputation. If you allow email client access, such as Outlook, your customer is exactly right that your system is not providing a top or full level of service. John Hinton Thomas Berger - Certified Linux/Cisco Networking Engineer - BOREUS Rechenzentrum GmbH Zur Schwedenschanze 2 D - 18435 Stralsund Germany Phone:+49 (0) 38 31 - 36 76 415 Fax: +49 (0) 38 31 - 36 76 615 eMail: t...@boreus.de Internet: http://www.boreus.de/ -- Geschäftsführer: André Jahns, Holger Lebrecht Handelsregister: Amtsgericht Stralsund HRB 5750 Sitz der Gesellschaft: Stralsund
RE: Request For Port 587
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Jeroen Geilman Sent: Thursday, August 18, 2011 9:03 AM To: postfix-users@postfix.org Subject: Re: Request For Port 587 This is now a Draft standard, meaning you'd better follow it (HTML has never progressed beyond a draft standard in the 10+ years that v4.01 is in use) This requirement is updated from RFC 2476, where it was optional, but RFC 4409 is from April 2006 (a good 5 years ago), so let's assume people have read it by now. Even better, it's now being considered by the IETF for promotion to Full Standard. And there actually aren't very many of those (there are about 6300 RFCs, but fewer than 100 full standards).
Re: Request For Port 587
On 2011-08-18 Jeroen Geilman wrote: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? Chapter 4.3 of RFC 4409, unless I'm misunderstanding something. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Request For Port 587
Le 18/08/2011 14:53, Carlos Mennens a écrit : Today I received a ticket for altering the way my Postfix server handles mail and I don't understand it. The ticket / request is pasted below: ** According to RFC 4409 client mail submission to an email server is supposed to use port 587. Server to server SMTP relays are to use port 25. When I am not at the office, I can't email via my work (Postfix) account via my iphone or my residential internet because my ISP(s) filter port 25 to only allow traffic to and from their mail servers. They do however allow 587 anywhere per RFC 4409. Additionally I can't email to the IDE with my gmail account, this is becoming a real pain in the ass when I need to send emails with attachments. Just to send this email I am having to relay off my own server in California. Can we please get the proper ports opened on the mail server? http://www.ietf.org/rfc/rfc4409.txt ** Now my question is I just want to be sure I'm correct in assuming that all mail servers send on port 25, correct? This user just is requesting me to allow relay access from his phone carriers network or home ISP which I'm not going to do since this is the reason I manage webmail for users. Does the above request seem legit or strange? I don't know enough about Postfix / mail port 587 to know if this is a legit request. Thanks for any clarification! user request is legitimate. in the past, port 25 was used for all smtp traffic, be that inbound mail (MX service) or outbound mail. to fight zombie spam, ISPs are encouraged to block traffic to and from port 25 (the from part is less obvious: it has to do with asymmetric routing). so real users would either use thei ISP relay (not always acceptable) or use a different port, which is what the submission port (587) is for. note that you need to enforce authentication on this port. and if login/password is used, then you must establish a good policy (password strength if possible, password change, ...). you can also use certificates (even software certs, since zombie attackers are mostly after passwords).
Re: Remove header on reinjection
Le 18/08/2011 01:31, Steve Fatula a écrit : - Original Message - From: Steve Fatula compconsult...@yahoo.com To: Postfix Users postfix-users@postfix.org Cc: Sent: Wednesday, August 17, 2011 6:18 PM Subject: Remove header on reinjection Sounded easy (and probably is), but, don't see it. I know I can add header_checks and have a rule in it to ignore a header, which is what I want to do. Specifically, the header that is added by reinjection after an after queue content filter that shows received from localhost. header_checks is used in the port 25 smtpd server. Normally, one has a no_header_checks on the reinjection smtpd server as you don't want to re-check the same rules, as I do not. Some of them might even cause trouble. So, I don't (can't) want to use the same header checks. I want to use a new header_checks file which just has one rule to ignore that header, but only on the reinjection smtpd server. However, this is not an option on smtpd. receive_override_options doc says you can disable things, but, shows no syntax for enabling things, though confusingly it says Enable or disable, implying it may be able to enable, and perhaps even set header checks? I guess using cleanup_service_name works and defining a second cleanup. Unless there is a better way. well, if you can find an expression that works in any case, then use standard header_checks. for exaple, to remove a private header, it doesn't matter if it appears before or after a content filter: what matters is that is a private header. so here, a regex/pcre is the way. if a given header is to be treated differently before and after a filter, then, yes, use a different cleanup. if you use amavisd-new: you can configure it not to add a received header.
Re: envelope spoofing
Le 15/08/2011 17:29, Drizzt a écrit : Hi, I have a setup whereby we check for spoofing. That is, anyone using an envelope from in our domain is blocked. In a similar fashion we stop our own hosts from spoofing others. For reference: - external spoofing: check_sender_access: mysql /etc/postfix/mysql-spoofing.cf - internal spoofing check_client_access + check_sender_access (by use of custom restriction class) This works fine, and as I see it there is no reason why anyone should ever use spoofing (of a domain, not their own). However, as things go in business, we have the request that: - We must allow internal hosts to spoof (e.g. gmail) this is a local policy issue. you can allow users to send with their seleced MAIL FROm addresses. however, with SPF and automatic spf, it is not guaranteed that their email will be acceptable to recipient sites. - We must allow other parties to spoof us (marketing e-mails send out by bulk hosts) hmmm. I've seen them spoofing the From header, but rarely the MAIL From (the envelope sender) address. the traditional problem is with mail forwarding. but the pressure is too high since some years that this is become a not a problem (traditional mail forwarding is dying if not already dead). but anyway, do these restrictions really help you fight spam? if these restrictions only block 1% o spam, which you can block otherwise, then why keep them? In effect removing these restrictions (are introduce exceptions that open up complete network segments). Input from the marking company reads: It is common to do this. (My internal voice says: for spam hosts you mean). My question in short: Should I allow this? They can put in the header whatever they want as long as they leave the envelope sane.
