[pfx] Re: smtp auth on port 25
On Thu, Aug 17, 2023 at 09:47:13AM +0800, Jon Smart wrote: > >> If your have smtpd_sasl_auth_enable=yes for your services on port > >> 587 (submission) and port 465 (smtps or submissions), then you can > >> remove it from master.cf when all your AUTH users are not using > >> the port 25 service. > > > > Nit: Wietse meant to say: "from main.cf", not "from master.cf". > > > > It outputs only this info: > > # postconf -P '*/inet/smtpd_sasl_auth_enable' > postconf: warning: unmatched request: "*/inet/smtpd_sasl_auth_enable" That's because you don't have the required explicit settings in master.cf. You'll first need to add these. Below my signature you'll find the commented-out stock definitions of the "submission" (port 587) and "submissions" (port 465) services from the "master.cf" file included with the Postfix source code. You should find a copy on your system named "master.cf.proto": $ ls $(postconf -xh meta_directory)/master.cf.proto /usr/local/etc/postfix/master.cf.proto Note the lines: # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes You'll need to merge these (suitably indented with whitespace) into your master.cf. One way to do that is (as "root", and assuming your services are using the same port "names", and not port numbers or IP:port): # postconf -P \ submission/inet/smtpd_sasl_auth_enable=yes \ submission/inet/smtpd_tls_auth_only=yes \ submissions/inet/smtpd_sasl_auth_enable=yes \ submissions/inet/smtpd_tls_auth_only=yes You can replace the "names" (optional IP + port name or number) with whatever you actually have for submission in your master.cf file. Try make it as close as reasonably possible to the stock defintions, but don't cargo-cult settings you don't understand. Any changes you apply need to make sense for your system. -- Viktor. # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no)(never) (100) # == # Choose one: enable submission for loopback clients only, or for any client. #127.0.0.1:submission inet n - n - - smtpd #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o local_header_rewrite_clients=static:all # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where # "" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING # Choose one: enable submissions for loopback clients only, or for any client. #127.0.0.1:submissions inet n - n - - smtpd #submissions inet n - n - - smtpd # -o syslog_name=postfix/submissions # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where # "" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
> On Wed, Aug 16, 2023 at 08:48:25PM -0400, Wietse Venema via Postfix-users > wrote: > >> What is the output from >> >> postconf -P '*/inet/smtpd_sasl_auth_enable' >> >> That will show the smtpd_sasl_auth_enable settings in master.cf. >> >> If your have smtpd_sasl_auth_enable=yes for your services on port >> 587 (submission) and port 465 (smtps or submissions), then you can >> remove it from master.cf when all your AUTH users are not using >> the port 25 service. > > Nit: Wietse meant to say: "from main.cf", not "from master.cf". > It outputs only this info: # postconf -P '*/inet/smtpd_sasl_auth_enable' postconf: warning: unmatched request: "*/inet/smtpd_sasl_auth_enable" I am running postfix 3.6.4. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
On Wed, Aug 16, 2023 at 08:48:25PM -0400, Wietse Venema via Postfix-users wrote: > What is the output from > > postconf -P '*/inet/smtpd_sasl_auth_enable' > > That will show the smtpd_sasl_auth_enable settings in master.cf. > > If your have smtpd_sasl_auth_enable=yes for your services on port > 587 (submission) and port 465 (smtps or submissions), then you can > remove it from master.cf when all your AUTH users are not using > the port 25 service. Nit: Wietse meant to say: "from main.cf", not "from master.cf". -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
Jon Smart via Postfix-users: > > Jon Smart via Postfix-users skrev den 2023-08-16 04:01: > > > >> How can I disable auth on port 25? I really don't want users to use > >> port > >> 25 for auth sender. i am using postfix version 3.6.4 on ubuntu 22.04. > > > > its default disabled, no ? > > > > unsure give us "postconf -n | grep auth" > > > > Hello, > > here is my output, > > $ sudo postconf -n |grep smtpd_sasl_auth > smtpd_sasl_auth_enable = yes > > > my question is, if I disable smtpd_sasl_auth in configuration, does it > influence the auth on ports 587 and 465? I just don't want sasl auth > happened on port 25 (MTA port). What is the output from postconf -P '*/inet/smtpd_sasl_auth_enable' That will show the smtpd_sasl_auth_enable settings in master.cf. If your have smtpd_sasl_auth_enable=yes for your services on port 587 (submission) and port 465 (smtps or submissions), then you can remove it from master.cf when all your AUTH users are not using the port 25 service. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
> Jon Smart via Postfix-users skrev den 2023-08-16 04:01: > >> How can I disable auth on port 25? I really don't want users to use >> port >> 25 for auth sender. i am using postfix version 3.6.4 on ubuntu 22.04. > > its default disabled, no ? > > unsure give us "postconf -n | grep auth" > Hello, here is my output, $ sudo postconf -n |grep smtpd_sasl_auth smtpd_sasl_auth_enable = yes my question is, if I disable smtpd_sasl_auth in configuration, does it influence the auth on ports 587 and 465? I just don't want sasl auth happened on port 25 (MTA port). Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
Peter via Postfix-users skrev den 2023-08-16 09:01: mta to mta can use port 465 or 587 aswell for intended purpose :) This is incorrect, MTAs should not and will not connect to any port other than port 25 for MX traffic. you are correct if you only have ONE mta so its valid if both client and server is maintained from same admin, but not if its another maintainer, ihmo this is the diffrent If you're running both servers and relaying via a non-standard port then it's not MX traffic, it's a form of submission or relaying but not MX. relaying is not port 25 ever ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
Jon Smart via Postfix-users skrev den 2023-08-16 04:01: How can I disable auth on port 25? I really don't want users to use port 25 for auth sender. i am using postfix version 3.6.4 on ubuntu 22.04. its default disabled, no ? unsure give us "postconf -n | grep auth" my own is mx ~ # postconf -nf | grep auth smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_authenticated_header = no smtpd_sasl_path = private/dovecot-auth smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, above is in main.cf, in master.cf i have -o smtpd_sasl_auth_enable=yes, not default no more questions, show your postconf -n, with you should have done before asking any questions, if you are unsure try comment lines in main.cf so it will be default compiled in in postfix, this is maybe bad advice to somebody, but imho not note no space around = ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
On August 15, 2023 2:15:21 AM GMT+02:00, Jon Smart via Postfix-users wrote: I have disabled port 587/465 to be accessed publicly. but port 25 must be open to internet for MTA communications. My question is, can external users access port 25 for smtp auth and send mail then? Not if you disable auth on port 25, which you should. On 16.08.23 10:01, Jon Smart via Postfix-users wrote: How can I disable auth on port 25? I really don't want users to use port 25 for auth sender. i am using postfix version 3.6.4 on ubuntu 22.04. disable smtp_sasl_auth_enable - it's disabled by default and only enabled on ports 465/587 in master.cf. some admins may enable it in main.cf because of historical reasons. simply commenting it out should help -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
On 15/08/23 21:08, Benny Pedersen via Postfix-users wrote: Peter via Postfix-users skrev den 2023-08-15 10:44: This is a bad idea for several reasons. If you want submission use ports 465 and/or 587 as they are intended. Don't try to use a service that is meant for a different purpose for this. mta to mta can use port 465 or 587 aswell for intended purpose :) This is incorrect, MTAs should not and will not connect to any port other than port 25 for MX traffic. so its valid if both client and server is maintained from same admin, but not if its another maintainer, ihmo this is the diffrent If you're running both servers and relaying via a non-standard port then it's not MX traffic, it's a form of submission or relaying but not MX. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
> > > On August 15, 2023 2:15:21 AM GMT+02:00, Jon Smart via Postfix-users > wrote: >>Hello, >> >>I have disabled port 587/465 to be accessed publicly. >> >>but port 25 must be open to internet for MTA communications. >> >>My question is, can external users access port 25 for smtp auth and send >>mail then? > Not if you disable auth on port 25, which you should. How can I disable auth on port 25? I really don't want users to use port 25 for auth sender. i am using postfix version 3.6.4 on ubuntu 22.04. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
* Benny Pedersen via Postfix-users [230815 05:10]: > Peter via Postfix-users skrev den 2023-08-15 10:44: > > > This is a bad idea for several reasons. If you want submission use > > ports 465 and/or 587 as they are intended. Don't try to use a service > > that is meant for a different purpose for this. > > mta to mta can use port 465 or 587 aswell for intended purpose :) MTA to MTA on submission port is _not_ the intended purpose! It can only be _misused_ for this purpose if the submission port is poorly configured. Auth should be _required_ on these ports, which precludes MTA to MTA using these ports. > so its valid if both client and server is maintained from same admin, but > not if its another maintainer, ihmo this is the diffrent You shouldn't do this. ...Marvin ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
Peter via Postfix-users skrev den 2023-08-15 10:44: This is a bad idea for several reasons. If you want submission use ports 465 and/or 587 as they are intended. Don't try to use a service that is meant for a different purpose for this. mta to mta can use port 465 or 587 aswell for intended purpose :) so its valid if both client and server is maintained from same admin, but not if its another maintainer, ihmo this is the diffrent if OP wants to learn more he would need to make mistakes of some sort and ask how to solve later, when i started with postfix about 35 years ago, it was badly configured at first, but got help from irc, and other mailadmins solved it slowly, this was a time when i used amavisd-new wwith bitdefender, f-prot, clamav, spamassassin, mailzu, now its more like clamav, spamassassin, amavisd-new, postfix, nothing more, today i have enormmous expirence from fails and how to solve them ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
On 15/08/23 12:15, Jon Smart via Postfix-users wrote: I have disabled port 587/465 to be accessed publicly. These are the submission and submissions ports, for user submission of mail. but port 25 must be open to internet for MTA communications. Port 25 is for MX to MX communication, for a submission host, or some other type of relay to push mail to your MTA on teh public internet. My question is, can external users access port 25 for smtp auth and send mail then? This is a bad idea for several reasons. If you want submission use ports 465 and/or 587 as they are intended. Don't try to use a service that is meant for a different purpose for this. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
On August 15, 2023 2:15:21 AM GMT+02:00, Jon Smart via Postfix-users wrote: >Hello, > >I have disabled port 587/465 to be accessed publicly. > >but port 25 must be open to internet for MTA communications. > >My question is, can external users access port 25 for smtp auth and send >mail then? Not if you disable auth on port 25, which you should. For MTA to MTA communication you don't need smtp auth enabled to receive mails destined to your server. Your users should use ports 465/587 with auth to send their mail. Auth should only be enabled on the ports you intend to use for mail submission. -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org