securing config 1

[elkoko]

Hi all,

I went through a lot of the docs on the postfix.org site and around Google, but I just can't find what I would like to do. To my mind, it's quite simple, but my search proves otherwise. Maybe I just missed something.

To start with, I have managed most of services available as a sysadmin, but never touched mail-related services (SMTP/POP/IMAP) other than as a user.


What is important for me is:

. listen to smtp.domain.com:25
. being MX for my.domain.com
. accept only mail for my.domain.com
. accept relay for my public IP range.

. listen to smtp.domain.com:995
. TLS/SASL auth_only relay for users
. all incoming mail is relayed to smtp.domain.com:25

I have played with examples for TLS/SASL, but I would like to separate in/out to different port. Maybe my vision is wrong about this.

Can this be done in a single instance of postfix?

Is SMTP able to understand to respond to ServerName instead of IP address? For now, both in.smtp and out.smtp are on the same server.

Thanks very much for any advice.

 

[elkoko]

Ok, I managed to get two instances of postfix to run simultaneously. My "main" one in /etc/postfix is running on a non-default port (not the 995 I was planning because that is reserved for pop3s). It serves me well as a outgoing smtp server with sasl-tls.

- copied /etc/postfix to /etc/postfix-localhost
- copied /etc/init.d/postfix to /etc/init.d/postfix-localhost.
- twicked some bits here and there.

Unfortunately, I still get a small error. I have put
"alternate_config_directories = /etc/postfix-localhost"

When ever I start "postfix" and then "postfix-localhost", I get the following error in the log file:

fatal: Cannot flush mail queue - mail system is down

but I don't get this error if I start them in the other order.

Anyone has any advice for this?

Thanks already.

 

[jkupski]

Just curious, but why didn't you just add another listener in master.cf?

 

[elkoko]

Well, that is a good question. I just can't figure how "secure" I can put it... and got no response from anyone.

My first try was to have the Suse9.3 provided postfix adding the SASL-TLS, but after 2min of running, I was getting already 5-10 unwanted connections. So I closed it down, ran it on a different port (say 2345). Able to send out was my first priority. I kind of put up a

mydestination =
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

figuring this is the most restrictive possible.

Now, I would like to make a SMTP to receive for my domain, and allow my other servers (on my 32 public IP bloc) to send... on port 25. How should I change my current config to do so? I though a second instance would be easier.

If anyone's experience says otherwise, please help me out.

 

[jkupski]

Your example above can easily be implemented as a listener in master.cf. Example:

127.0.0.1:995 inet n - y - - smtpd
-o mydestination =
-o smtpd_sender_retrictions = reject_sender_login_mismatch
-o smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

As to your question about recieving mail and allowing your local network to relay... I don't understand--the default config out of the box should work that way (you just have to define mydomain and mynetworks as appropriate.)

 

[elkoko]

Thanks, I have not dig deep into master.cf yet.

My relay-related question was because I had in mind to have 2 instances of postfix, not two ports on the same instance.

I'll try this out on Monday.

 

[elkoko]

I've been twicking the config all afternoon to no avail. :-(

What I would like to do is:

[ol]
[li]Allow my coworkers to send email through my SMTP server from anywhere in the world, as long as they use TLS/SASL and their From: address is in the hash:/etc/postfix/sender_login_maps and connect to port 2345. The From: is not necessary part of $mydomain, nor $mydestination, etc... I kind of am an open relay for selected spammers, but they are good spammers, since they are logged ;-)
-> This was done ok last Week.

mydestination =
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

weirdo@not.my.tld.com unixuser1
john@doe.com unixuser1
another.weirdo@yahoo.com unix2

[/li]

[li]I also host some web servers for them (either corporate or personnal) on my public-IP network. Imagine I have a 16-block. I want to allow only those servers to be able to send out emails on port 25 without TLS and SASL.
-> This is easily done with some changes to the default settings.
-> I know that I have some addresses that are not used yet, so to be secure, I want to limit access to some addresses. So I have my "access" map as:

smtpd_sender_restrictions = check_client_access hash:/etc/postfix/access

A.B.C REJECT
A.B.C.D1 OK
A.B.C.D2 OK
127.0.0.1 OK

[/li]

[li]I want all email from outside that is sent to us to be accepted, and all other rejected. Of course, this should be on port 25 without SASL/TLS.
-> My addresses are virtual (for security, they don't reflect /etc/passwd accounts), and they are aliased to some weirdo local accounts (like: as98fa).

mydomain = tld.com

[/li]
[/ol]
It's might be just me, but I can get 1 working alone, OR 2-3 working together, but I just can't get all three together. For all my attempts, either:[ul]
[li]I can't no more send from outside

Client host rejected: Access denied;

[/li]
[li]I can't send from inside my network on port 25:

Relay access denied;

[/li]
[li]It doesn't recognize local user

Recipient address rejected: User unknown in local recipient table;

[/li]
[/ul]
I am pretty sure someone out there has this kind of set-up up and running without trouble. Please help me as I have been on this for a week.

I though I was getting somewhere with two instances of postfix running, but I got the queue problem mentionned last week, and with the tip, I tried to glue both settings together without success.

Really thanks for any help.