ehsmeng2
04-03-2007, 11:50 AM
I managed to confuse myself greatly configuring postfix so I thought I'd write down my confusion. It might help someone else or possibly myself in the future googling. I only had problems with sending mails from my machine through the server so that's what I'll describe here.
$ telnet mail.rimuhosting.com 25
Trying 65.99.196.158...
Connected to mail.rimuhosting.com.
Escape character is '^]'.
EHLO localhost
220 rimuhosting.com ESMTP Postfix
250-rimuhosting.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
Ok, STARTTLS means that client can ask server to start talking over an encrypted link. This is independent of encryption methods of passwords etc; it is only how mail client and postfix talks.
The AUTH line (there are two of them in case mailer program is buggy/old) says user must authenticate to send mails. This is a good thing, otherwise anyone can relay spam on the server. PLAIN and LOGIN are unencrypted. DIGEST-MD5 etc are not. Note, this is just how the mailprogram sends its credentials to postfix, it cares nothing about Sasl backend, starttls etc. If you have say CRAM-MD5 + STARTTLS you have a double protection. Normally.
Ok passwords then. Postfix has a separate module for handling passwords called cyrus-sasl. This is a middleware, designed to simplify for Postgres (et al) to validate passwords. You can have a password in /etc/password, /etc/shadow, a proper database, a .db database, etc. Authors of Postgres didn't want to write all of that by themselves hence they used cyrus-sasl. This is a different beast to configure and cares not about the means the AUTH thing receives the password. /etc/postfix/main.cf:
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
* Ethereal/Wireshark is priceless to use when debugging this.
* So are the actually useful log files /var/log/maillog
* Making Postfix barf on badly behaved mails decreases spam considerably. There are loads more options but these works nice for us (/etc/postfix/main.cf):
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_hostname,
reject_invalid_hostname,
check_helo_access pcre:/etc/postfix/helo_checks,
permit
Having this in the back of your head, "the book of postfix" is easier to penetrate.
HTH someone,
Marcus
$ telnet mail.rimuhosting.com 25
Trying 65.99.196.158...
Connected to mail.rimuhosting.com.
Escape character is '^]'.
EHLO localhost
220 rimuhosting.com ESMTP Postfix
250-rimuhosting.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
Ok, STARTTLS means that client can ask server to start talking over an encrypted link. This is independent of encryption methods of passwords etc; it is only how mail client and postfix talks.
The AUTH line (there are two of them in case mailer program is buggy/old) says user must authenticate to send mails. This is a good thing, otherwise anyone can relay spam on the server. PLAIN and LOGIN are unencrypted. DIGEST-MD5 etc are not. Note, this is just how the mailprogram sends its credentials to postfix, it cares nothing about Sasl backend, starttls etc. If you have say CRAM-MD5 + STARTTLS you have a double protection. Normally.
Ok passwords then. Postfix has a separate module for handling passwords called cyrus-sasl. This is a middleware, designed to simplify for Postgres (et al) to validate passwords. You can have a password in /etc/password, /etc/shadow, a proper database, a .db database, etc. Authors of Postgres didn't want to write all of that by themselves hence they used cyrus-sasl. This is a different beast to configure and cares not about the means the AUTH thing receives the password. /etc/postfix/main.cf:
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
* Ethereal/Wireshark is priceless to use when debugging this.
* So are the actually useful log files /var/log/maillog
* Making Postfix barf on badly behaved mails decreases spam considerably. There are loads more options but these works nice for us (/etc/postfix/main.cf):
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_hostname,
reject_invalid_hostname,
check_helo_access pcre:/etc/postfix/helo_checks,
permit
Having this in the back of your head, "the book of postfix" is easier to penetrate.
HTH someone,
Marcus