Re: permit_sasl_authenticated ONLY from one interface
mouss ha scritto: Simone Felici a écrit : Why? Uhm, dunno... It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support it, then it try to send in auth. This return an error, due inappropriate settings of the client. if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps Mouss, this could be a solution... but haven't find any example or documation to try it. Could you pount me at any example? The initial problem was: I've an SMTP server for customers, with standard smtp open only from a range of IPs. Could I provide normal smtp service for customers of a range of known IP (like now) and open my server to all the world for smtp service but ONLY if autenthicated smtp i sused? Is the MUA with an IP of my customers? YES: It can send without any authentication. NO: It can send ONLY it a user/pass is provided. Simon -- Simone FeliciE-Mail: [EMAIL PROTECTED] Divisione TecnicaTel:0461 030 111 Alpikom S.p.A. Fax:0461 030 112 v.Fersina, 23 - 38100 Trento URL:http://www.alpikom.it
Re: permit_sasl_authenticated ONLY from one interface
mouss wrote: Simone Felici a écrit : mouss ha scritto: Simone Felici a écrit : Why? Uhm, dunno... It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support it, then it try to send in auth. This return an error, due inappropriate settings of the client. if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps Mouss, this could be a solution... but haven't find any example or documation to try it. Could you pount me at any example? make sure to read: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps smtpd_discard_ehlo_keyword_address_maps hash:/etc/postfix/discard_ehlo == discard_ehlo 10.1.2.3starttls, auth, silent-discard (silent-discard prevents postfix from logging this keyword discard action). (discarding starttls may be too much, but OP can decide for himself) I think this is even easier: http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks The simplest form of this is: # main.cf smtpd_sasl_exceptions_networks = $mynetworks The initial problem was: I've an SMTP server for customers, with standard smtp open only from a range of IPs. Could I provide normal smtp service for customers of a range of known IP (like now) and open my server to all the world for smtp service but ONLY if autenthicated smtp i sused? Is the MUA with an IP of my customers? YES: It can send without any authentication. NO: It can send ONLY it a user/pass is provided. The behavior you describe is the standard settings: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination ... other restrictions ... You only need to make special arrangements such as mouss and I describe when you don't want to ever offer AUTH to local clients. Offering AUTH to everyone does not present a problem to the vast majority of clients. -- Noel Jones
Re: permit_sasl_authenticated ONLY from one interface
Noel Jones a écrit : mouss wrote: Simone Felici a écrit : mouss ha scritto: Simone Felici a écrit : Why? Uhm, dunno... It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support it, then it try to send in auth. This return an error, due inappropriate settings of the client. if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps Mouss, this could be a solution... but haven't find any example or documation to try it. Could you pount me at any example? make sure to read: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps smtpd_discard_ehlo_keyword_address_maps hash:/etc/postfix/discard_ehlo == discard_ehlo 10.1.2.3starttls, auth, silent-discard (silent-discard prevents postfix from logging this keyword discard action). (discarding starttls may be too much, but OP can decide for himself) yes. I only cited it to show that multiple keywords can be discarded. I think this is even easier: http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks The simplest form of this is: # main.cf smtpd_sasl_exceptions_networks = $mynetworks The initial problem was: I've an SMTP server for customers, with standard smtp open only from a range of IPs. Could I provide normal smtp service for customers of a range of known IP (like now) and open my server to all the world for smtp service but ONLY if autenthicated smtp i sused? Is the MUA with an IP of my customers? YES: It can send without any authentication. NO: It can send ONLY it a user/pass is provided. The behavior you describe is the standard settings: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination ... other restrictions ... You only need to make special arrangements such as mouss and I describe when you don't want to ever offer AUTH to local clients. Offering AUTH to everyone does not present a problem to the vast majority of clients. It's unclear whether he actually found misbehaving MUAs or if he is just fearing the unknown ;-p
Re: permit_sasl_authenticated ONLY from one interface
Simone Felici: Hi to all! I've tested successfully a simple smtp server with SMTP authenticated. Now I would like do the following: My server has two interfaces with IP1 and IP2. I would like to setup postfix to permit AUTH-SMTP only for sessions incoming on IP1 and normal SMTP sessions on IP2. Please explain why you can't use policies for the CLIENT IP address. Wietse
Re: permit_sasl_authenticated ONLY from one interface
Wietse Venema ha scritto: Simone Felici: Hi to all! I've tested successfully a simple smtp server with SMTP authenticated. Now I would like do the following: My server has two interfaces with IP1 and IP2. I would like to setup postfix to permit AUTH-SMTP only for sessions incoming on IP1 and normal SMTP sessions on IP2. Please explain why you can't use policies for the CLIENT IP address. Wietse Why? Uhm, dunno... It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support it, then it try to send in auth. This return an error, due inappropriate settings of the client. To prevent this i would like to set up two ip address on the same server. The first ip address should accept only clean smtp sessions, with restrictions allowing smtp only from specific client-ip, ranges. This is the actual situation in porduction and all is ok. The second ip should accept only sasl auth smtp session. If the authenitcation goes well, the the client can send without other check and the client can have every ip he want. Due company decisions, out smtp server accept sending messages only if the customer is connected with our network. the second ip on the server should introduce the possibility to send (only if authenticated) from any network. Is it possible to setup on the same server? I've read this (http://www.postfix.org/RESTRICTION_CLASS_README.html) and ok, but have no idea how to choose different policies depending on two different IPs (interfaces) of the server. Simon
Re: permit_sasl_authenticated ONLY from one interface
Simone Felici wrote: My server has two interfaces with IP1 and IP2. I would like to setup postfix to permit AUTH-SMTP only for sessions incoming on IP1 and normal SMTP sessions on IP2. I've only find how to apply restrictions on sender (ip/domain) but have no idea how to manage different policies depend on which smtp-IP is using the client. Simone Felici wrote: The first ip address should accept only clean smtp sessions, with restrictions allowing smtp only from specific client-ip, ranges. This is the actual situation in porduction and all is ok. The second ip should accept only sasl auth smtp session. If the authenitcation goes well, the the client can send without other check and the client can have every ip he want. Due company decisions, out smtp server accept sending messages only if the customer is connected with our network. the second ip on the server should introduce the possibility to send (only if authenticated) from any network. Is it possible to setup on the same server? What you're looking for is called the submission service. Accepted practice has you split MTA relay and MUA submission onto to separate ports, 25 for MTAs, 587 for MUAs. Require TLS+AUTH on port 587, disable them[1] on port 25. In main.cf: smtpd_sasl_auth_enable = no In master.cf: submission inet n - n - - smtpd -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_tls_security_level=encrypt Set the other sasl- and tls-related settings in main.cf. If you want to use port 25 on IP1 instead of port 587 on all inet_interfaces, remove IP1 from inet_interfaces and change submission to IP1:smtp in the master.cf excerpt above. Keep in mind there is a growing number of ISPs which do not permit outbound connections to port 25 from their user networks while port 587 is allowed by everyone except the most idiotic of network admins. 1: You can make TLS optional if you want opportunistic encryption when talking to other MTAs.
Re: permit_sasl_authenticated ONLY from one interface
Simone Felici a écrit : Why? Uhm, dunno... It seems certain mailclients has Autenticated smtp enabled as default and if the client found the smtp server support it, then it try to send in auth. This return an error, due inappropriate settings of the client. if you know their IPs, you can use smtpd_discard_ehlo_keyword_address_maps To prevent this i would like to set up two ip address on the same server. The first ip address should accept only clean smtp sessions, with restrictions allowing smtp only from specific client-ip, ranges. This is the actual situation in porduction and all is ok. The second ip should accept only sasl auth smtp session. If the authenitcation goes well, the the client can send without other check and the client can have every ip he want. Due company decisions, out smtp server accept sending messages only if the customer is connected with our network. the second ip on the server should introduce the possibility to send (only if authenticated) from any network. Is it possible to setup on the same server? I've read this (http://www.postfix.org/RESTRICTION_CLASS_README.html) and ok, but have no idea how to choose different policies depending on two different IPs (interfaces) of the server. instead of playing with IPs, just enable the submission service in master.cf and get users to configure their MUA to use port 587 when they want to authenticate. if this isn't what you want/need, copy the submission service and do not enable sasl for the standard smtpd. 10.1.2.3:25 inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING
