secure cyrus smtp server open for dynamic ip

Hey Guys, perhaps the titel doesn’t acplain it all.

i have a cyrus/postfix mail server.
running 6 domainnames.
i don’t have tsl enabled (yet… working on it)
so i enable ip addresses that are allowed to send mail.

all is well when the client sending mail has a static ip adres,
this i can just add to the trusted networks.
but now i have a friend who has a dynamic ip changing any time he logs in. how can i configure the mta to allow mail from him.

ofcourse as save as possible. and a little user friendly because he doesn’t have much computer knowledge.

Kind regards,
Arnold Nijboer

Am 19.11.2008 19:26 schrieb arnoldnijboer:
> i have a cyrus/postfix mail server.
…]
> all is well when the client sending mail has a static ip adres,
> this i can just add to the trusted networks.
> but now i have a friend who has a dynamic ip changing any time he logs
> in. how can i configure the mta to allow mail from him.

The standard solution for that is SMTP Authentication, or
SMTP AUTH for short. You set up your server to allow relaying
for authenticated clients, set a username and password for
your friend, and he configures his mail client to authenticate
with that username and password when sending mail through your
server.

I can’t tell you how to configure that on Postfix because
I’m using Sendmail myself, but it’s pretty easy there, and
everybody keeps telling me how Postfix is so much easier to
manage than Sendmail, so it should be a piece of cake. :slight_smile:


Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

workaround.org has some tutes on setting up the whole mail server shebang, targeted at Debian but just need a bit of translation for other distros.

Here’s another reason why dovecot rocks. You can set it up so that it can handle authentication on behalf of postfix, so that the authentication is configured in one place, instead of hitching all that cyrus imap gunk to postfix.

Tilman thanks again for the reply,

just to be sure…
i can add my external ip to the thrusted zone,
and let smtp auth / ldap do the authentication?

i’m just asking because i used the thrusted ip networks as a
sort off firewall, just to prevent my mailserver from being used as spam sender…

i’m using tls now… so that should be secure.

and to our dear ken_yap:
authentication is handed to my ldap server, wich handels every part of the configuration for email settings and authentication…

Thanks in advance…

No, the trusted IPs are the source IPs. So adding your external IP to the trusted IPs does nothing for your friend. Or any external networks you might trust. On the other hand you might end up trusting some other machines on your external subnet you shouldn’t.

SMTP AUTH is orthogonal to this. What you’re setting up is to allow relaying either if the source IP is trusted, or authentication is provided.

Yes, dovecot can do LDAP too. It’s the forwarding on behalf of postfix that makes it unnecessary to configure authentication for postfix as well.

Wel thanks for the reply,

although i’m not familiar with SMTP AUTH,
is it the same as SASL ??

the image shows my MTA config for relaying,
is this correct?
the 192.168… is my local network, the others are standard suse inputs. i haven’t messed whit that.
http://www.neo-hippie.net/MTA.jpg

Kind regards,
Arnold Nijboer

Wel sorry image is not showing…
here a direct link:
http://www.neo-hippie.net/MTA.jpg

Related but not the same thing. SASL, as a reference page will tell you, is a framework for authentication and security. Cyrus has libraries to provide this. SMTP AUTH is what happens when you configure postfix to require authentication to post (if not already allowed by being in trusted_networks).

Configuring postfix to do SMTP AUTH requires a bunch of config directives in main.cf. Postfix calls external agents to do the authentication and cyrus SASL is often one. Sorry, I have no idea how it’s done in YaST, I’ve been editing main.cf (actually sysconfig/postfix) before YaST acquired (or not?) the ability to configure AUTH. Also because you will want to transmit the password not in cleartext, you will also have to configure a SSL certificate. Because it will be self-signed (unless you want to pay for one that is tied to the certification chain, similar to what happens with SSL certs for HTTPS), your friend will get a dialog, at least the first time, asking him if he wants to trust this server.

All these can be browsed in depth in the aforementioned workaround.org tutorials.

As for the trusted_networks, generally you just set it to your LAN’s subnet and leave it at that. As I said, SMTP AUTH is independent of trusted_networks. For example, this is the beginning of the recipient restrictions conditions in a OpenSUSE mail server:

reject_invalid_hostname,reject_non_fqdn_sender,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,check_helo_accesshash:/etc/postfix/helo_checks…

As you can see, if a client is on the LAN, it’s permitted to relay (send mail outwards), otherwise it can also do so if it authenticates via SASL (a road warrior using the back office server to send mail).

Am 28.11.2008 17:56 schrieb arnoldnijboer:
> just to be sure…
> i can add my external ip to the thrusted zone,
> and let smtp auth / ldap do the authentication?
>
> i’m just asking because i used the thrusted ip networks as a
> sort off firewall, just to prevent my mailserver from being used as
> spam sender…

As I said, I am not a Postfix expert, but I would guess
that that approach is wrong. If Postfix works similarly
to Sendmail, adding your own external IP address to the
set of addresses allowed to relay (which I guess is the
meaning of “trusted zone”) would do nothing, while adding
the dynamic address range from which your friend gets his
addresses would allow anyone from that range to send mail
through your server, without requiring authentication, so
you would be vulnerable to abuse by spammers who happen
to be clients of the same provider, for example.

What you need to do is enable relaying for SMTP
authenticated senders in addition to senders with
trusted IP addresses, so that senders with trusted
addresses can continue sending mail as they do now,
while those with a priori untrusted addresses (like the
dynamic address of your friend) can gain the necessary
trust by presenting a valid username and password via
SMTP AUTH. With Sendmail that is the default behaviour
as soon as you enable SMTP authentication. With Postfix
I don’t know, though I would expect similar behaviour.

> i’m using tls now… so that should be secure.

Are you using TLS client certificates? If not, TLS does
nothing to protect your server against unauthorized
relaying (aka being abused as spam sender). Spammers can
send via TLS, too. (Although they rarely do.)

TLS client certificates would in fact be an alternative
to SMTP AUTH as a means of authentication to securely
allow relaying from trusted clients. But it is IMHO much
more difficult to set up than SMTP AUTH. That’s why I
did not propose it. It might be a viable alternative if
you already have a PKI set up and running.

HTH
T.

Thanks both for the info.

both reply’s make sense, I’ll go and find some how to manual for setting up SMTP AUTH.

Thanks again hopefully I’ll have next Saturday some spare time to try it.

kind regards,
Arnold

Sorry for the very late response.
had been busy for a while.

i’ve tryed to setup smtp auth using this site:
12. SMTP Authentication for Mail clients
(just used page 11 and 12 sins i had a running postfix)

but i don’t get the same output from telnet, did everything they say about smtp-auth.
here is my telnet output:
arnoldnijboer@Skynet:~$ telnet arnoldnijboer.info 25Trying 192.168.1.100…
Connected to Welkom op Arnolds homepage.
Escape character is ‘^]’.
220 SkynetServer.Arnoldnijboer.info ESMTP Postfix
ehlo arnoldnijboer.info
250-SkynetServer.Arnoldnijboer.info
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth FFJub2xkbmlqYm9lcgBhcm5vbGRuaWpib2VyAEphc2RaRk04
504 5.5.4 Encryption required for requested authentication mechanism

as specified in the manual i don’t get the:
250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN

also another issue… if i send mail using direct delivery the mail sometimes doesn’t reach the receipts. in my mail log i see it try’s to send but gets a timed out from the server… no error’s or something just a timed out. specifically the hotmail server mx2.hotmail.com and mx3.hotmail.com

anyone any suggestions?

I think it is saying that the authentication in question will refuse to work with a plaintext channel. You have to set up an encrypted channel first, either by connecting to a SMTPS port in the first place or by issuing STARTTLS before authentication. Presumably this is so that the authentication cannot be snooped on. You may be able to override this precaution, but I’ve never tried it.

It means you can’t test with telnet, but I think curl will be able to.

well even if i can’t login those 2 lines should be given by postfix or not? that shows that everything is properly installed.
but as you can see i don’t have these 2 lines:
250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN

and i don’t know were things went bad.
please point me in the right direction?!

Sorry, I don’t know why it’s missing from your banner. I haven’t run into this problem before, even with a server that I set up with auth, so I’m not equipped to diagnose it. Presumably postfix doesn’t know what auth mechanisms are available and there is some setting that enables the list of mechanisms or plugins, but I’m only guessing.

arnoldnijboer schrieb:
> i’ve tryed to setup smtp auth using this site:
> ‘12. SMTP Authentication for Mail clients’ (http://tinyurl.com/dnzwm)
> (just used page 11 and 12 sins i had a running postfix)

Again, I don’t know Postfix, so take the following with a grain of salt.

> but i don’t get the same output from telnet, did everything they say
> about smtp-auth.
> here is my telnet output:
> arnoldnijboer@Skynet:~$ telnet arnoldnijboer.info 25Trying
> 192.168.1.100…
> Connected to ‘Welkom op Arnolds homepage’
> (http://www.arnoldnijboer.info).
> Escape character is ‘^]’.
> 220 SkynetServer.Arnoldnijboer.info ESMTP Postfix
> ehlo arnoldnijboer.info
> 250-SkynetServer.Arnoldnijboer.info
> 250-PIPELINING
> 250-SIZE
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth FFJub2xkbmlqYm9lcgBhcm5vbGRuaWpib2VyAEphc2RaRk04

That’s wrong. You need to specify the authentication method after the
verb AUTH. Btw you do realize that what you posted above can easily
be decoded into cleartext? If those eight characters after the
second \0 are your real password you should change it pronto subito.

> as specified in the manual i don’t get the:
> 250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN
> 250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI PLAIN LOGIN

That would normally indicate that authentication has not been enabled,
so you probably did something wrong. Double-check the configuration
entries you made. Check the Postfix logfiles for any complaints about
errors in the configuration files. Also check if you have installed
the necessary SASL packages. Last time I looked, SuSE still (for
reasons I cannot fathom) packaged the actual authentication methods
separately from the main SASL package, so you would have to install
all of

cyrus-sasl
cyrus-sasl-crammd5
cyrus-sasl-digestmd5
cyrus-sasl-plain

in order to be actually able to authenticate with DIGEST-MD5,
CRAM-MD5 and PLAIN. Omitting the method packages would not result in
any error messages; the methods would just not be offered in the EHLO
reply. Very annoying.

> also another issue… if i send mail using direct delivery the mail
> sometimes doesn’t reach the receipts. in my mail log i see it try’s to
> send but gets a timed out from the server… no error’s or something just
> a timed out. specifically the hotmail server mx2.hotmail.com and
> mx3.hotmail.com

Yeah, some big mail providers like Hotmail seem to limit connection
rates quite heavily, but normally your mail server should automatically
retry those later. Doesn’t it?

HTH
T.

wel thanks for the reply, some useful info.

first off. the auth digits are modified thank god for conspiracy theory;) i’ve had a suspicion it would be reversible so i changed some digits…

i’ll check the installed packages, if it is not standard it’s very likely that it’s not ready installed:(

and about the last point. yes it keeps trying, for over 2 days now… i’ve got an log file full!

i’ll give it a go… and get back to you… thanks so far!