[gentoo-user] Postfix question about auth and blocklists...

[gentoo-user] Postfix question about auth and blocklists...

[Steve]

On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed
some howto or other, quite a long time ago, I have this section at the
end of my main.cf:

--
smtpd_recipient_restrictions =
         permit_mynetworks,
         permit_sasl_authenticated,
         reject_unauth_destination,
         reject_non_fqdn_sender,
         reject_rbl_client sbl-xbl.spamhaus.org,
         reject_rbl_client list.dsbl.org,
         reject_rbl_client bl.spamcop.net,
         reject_unknown_sender_domain,
         reject_rhsbl_sender bogusmx.rfc-ignorant.org
--

While it might not be optimal, it worked extremely well for a long
time.  The block lists were a godsend as I receive(d) quite a lot of
spam which had threatened to bog down spamassassin.  For ages, I just
used my ISP's SMTP server to send, and only received on my own.

I've bought a smart phone (an HTC HD2 on Windows Mobile 6.5) and need to
use it to access my email on this server - both via mobile and Wi-Fi
connectivity.  The IMAP(s) side works OK for my inbox (after a few
dovecot tweaks)  - and, after a setting up SASL, I can now send email
from my phone via my own SMTP server, which gateways this to my ISP...
all secured by a complex password.  So far, so good - and I can send
email from home over Wi-Fi from my phone.  The problem arises
elsewhere... where I'm not connected to my local (W)LAN (i.e. where I'm
not in "permit_mynetworks") - where the phone reports:

--
The server returned the following error message:

554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using
sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170
--

The block comes as no surprise as 149.254.48.170 isn't exclusively under
my control - and, likely, is a vector for lots of spam - now mobile data
services are cheap and difficult to trace.  What I didn't expect is for
my connection to be rejected even though I had the right username and
password.

So... the questions:

* How can I alter the configuration  to process email from blocked
locations if and only if the client authenticates?
* How can I verify that SMTP auth has been done (when connecting from my
LAN) - it would be a disaster if I inadvertently created an open relay. 
(I don't think I have - but better safe than sorry, etc.)

Thanks in advance for any replies...

Re: [gentoo-user] Postfix question about auth and blocklists...

[Brandon Vargo]

On Wed, 2010-05-26 at 15:40 +0100, Steve wrote:
> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed
> some howto or other, quite a long time ago, I have this section at the
> end of my main.cf:
> 
> --
> smtpd_recipient_restrictions =
>          permit_mynetworks,
>          permit_sasl_authenticated,
>          reject_unauth_destination,
>          reject_non_fqdn_sender,
>          reject_rbl_client sbl-xbl.spamhaus.org,
>          reject_rbl_client list.dsbl.org,
>          reject_rbl_client bl.spamcop.net,
>          reject_unknown_sender_domain,
>          reject_rhsbl_sender bogusmx.rfc-ignorant.org
> --
> 
> While it might not be optimal, it worked extremely well for a long
> time.  The block lists were a godsend as I receive(d) quite a lot of
> spam which had threatened to bog down spamassassin.  For ages, I just
> used my ISP's SMTP server to send, and only received on my own.
> 
> I've bought a smart phone (an HTC HD2 on Windows Mobile 6.5) and need to
> use it to access my email on this server - both via mobile and Wi-Fi
> connectivity.  The IMAP(s) side works OK for my inbox (after a few
> dovecot tweaks)  - and, after a setting up SASL, I can now send email
> from my phone via my own SMTP server, which gateways this to my ISP...
> all secured by a complex password.  So far, so good - and I can send
> email from home over Wi-Fi from my phone.  The problem arises
> elsewhere... where I'm not connected to my local (W)LAN (i.e. where I'm
> not in "permit_mynetworks") - where the phone reports:
> 
> --
> The server returned the following error message:
> 
> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using
> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170
> --
> 
> The block comes as no surprise as 149.254.48.170 isn't exclusively under
> my control - and, likely, is a vector for lots of spam - now mobile data
> services are cheap and difficult to trace.  What I didn't expect is for
> my connection to be rejected even though I had the right username and
> password.
> 
> So... the questions:
> 
> * How can I alter the configuration  to process email from blocked
> locations if and only if the client authenticates?
> * How can I verify that SMTP auth has been done (when connecting from my
> LAN) - it would be a disaster if I inadvertently created an open relay. 
> (I don't think I have - but better safe than sorry, etc.)
> 
> Thanks in advance for any replies...
> 
> 

You want to split your rules between smtpd_recipient_restrictions,
smtpd_sender_restrictions, and smtpd_client_restrictions. The first will
apply rules to the recipient address, controlling the destinations to
which the mail server will send mail. The second will apply rules to the
sender address. The third will restrict who is allowed to connect to
your mail server in the first place. By default,
smtpd_recipient_restrictions permits mynetworks and rejects unauthorized
recipients, smtp_sender_restrictions permits everything, and
smtpd_client_restrictions allows all connections. In all, the first
restriction that matches is applied.

What you want it something closer to this:

smtpd_client_restrictions = 
   permit_mynetworks, 
   permit_sasl_authenticated, 
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client bl.spamcop.net,
   reject_rhsbl_sender bogusmx.rfc-ignorant.org

smtpd_recipient_restrictions = 
   permit_mynetworks, 
   permit_sasl_authenticated, 
   reject_unauth_destination

smtpd_sender_restrictons =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain

Note that I have not tested this exact configuration, but I have
something similar on my mail server. This configuration will allow all
mail from your local network and any authenticated client. If neither of
these conditions are met, the remote client is blocked if they are on
one of the DNS block lists, the sender address is not known, or the mail
is addressed to an unauthorized destination. If the client is on the
local network or authenticated, none of the other rules will apply. You
can of course test the rules by using one of the many mail relay testing
websites or simply connecting from outside your network with and without
using authentication.

For more information on these rules, look at the postfix documentation,
which is quite comprehensive:
      * http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
      * http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
      * http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

You might also want to take a look at smtpd_helo_restrictions and
smtpd_data_restrictions for further tuning. Also, note that spamhaus
recommends zen.spamhaus.org instead of sbl-xbl.spamhaus.org. The former
is more comprehensive while the latter is geared only toward exploits.
Do not include both, as zen includes sbl-xbl.

For more in-depth information, you probably want to ask the
postfix-users mailing list, as your issue relates to Postfix more than
Gentoo.

I hope the above helps.

Regards,

Brandon Vargo

Re: [gentoo-user] Postfix question about auth and blocklists...

[Steve]

[-- Attachment #1: Type: text/plain, Size: 3662 bytes --]

On 26/05/2010 20:32, Brandon Vargo wrote:
> I hope the above helps.
>   

Thank you very much... that was very informative.  Unfortunately, I now
discover I fibbed when I said I had SASL auth set up - I only thought I
had...  When I correctly configure thunderbird, I get the following
postfix messages in the log:

> May 27 17:06:20 ken postfix/smtpd[19973]: connect from
> ur.shic.co.uk[10.0.1.253]
> May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication
> failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5
> May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication
> failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5
> May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication
> failure: no secret in database
> May 27 17:06:20 ken postfix/smtpd[19973]: warning:
> ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed:
> authentication failure
> May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1
> May 27 17:06:20 ken postfix/smtpd[19973]: client flags: ffff8207
> May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2
> May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername
> May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication
> failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5
> May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication
> failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5
> May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication
> failure: no secret in database
> May 27 17:06:20 ken postfix/smtpd[19973]: warning:
> ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed:
> authentication failure

I'm sure I'm doing something silly - because googling the first warning
just gives me this bug <http://bugs.gentoo.org/show_bug.cgi?id=299390>,
which doesn't seem to fit.  I have this installed:

> $ eix mail-mta/postfix
> [I] mail-mta/postfix
>      Available versions:  2.6.5 ~2.6.6 {cdb dovecot-sasl hardened ipv6
> ldap mbox mysql nis pam postgres sasl selinux ssl vda}
>      Installed versions:  2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl
> -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres
> -selinux -vda)
>      Homepage:            http://www.postfix.org/
>      Description:         A fast and secure drop-in replacement for
> sendmail.

If I alter thunderbird to not use secure authentication, I get the
following instead.

> May 27 17:14:26 ken postfix/smtpd[20115]: connect from
> ur.shic.co.uk[10.0.1.253]
> May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication
> problem: unknown password verifier
> May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication
> failure: Password verification failed
> May 27 17:14:26 ken postfix/smtpd[20115]: warning:
> ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no
> mechanism available
> May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication
> problem: unknown password verifier
> May 27 17:14:26 ken postfix/smtpd[20115]: warning:
> ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no
> mechanism available

Which seems quite strange.

My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains
the single config line:

> pwcheck_method:pam

I don't care if I use PAM or something else - as long as it lets me
authenticate.  In the medium term, it would be best if neither IMAP nor
SMTP passwords had any relation to my system password (not that I allow
remote logins unsing it) - but, for the time being, I just want it to
let me authenticate and send from my phone.

By any chance can anyone give me any further clues?


[-- Attachment #2: Type: text/html, Size: 4462 bytes --]

Re: [gentoo-user] Postfix question about auth and blocklists...

[Brandon Vargo]

On Thu, 2010-05-27 at 17:24 +0100, Steve wrote:
> On 26/05/2010 20:32, Brandon Vargo wrote:
> > I hope the above helps.
> >   
> 
> Thank you very much... that was very informative.  Unfortunately, I
> now discover I fibbed when I said I had SASL auth set up - I only
> thought I had...  When I correctly configure thunderbird, I get the
> following postfix messages in the log:
> 
> > May 27 17:06:20 ken postfix/smtpd[19973]: connect from
> > ur.shic.co.uk[10.0.1.253]
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: no secret in database
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed:
> > authentication failure
> > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1
> > May 27 17:06:20 ken postfix/smtpd[19973]: client flags: ffff8207
> > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2
> > May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: no secret in database
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed:
> > authentication failure
> 
> I'm sure I'm doing something silly - because googling the first
> warning just gives me this bug, which doesn't seem to fit.  I have
> this installed:
> 
> > $ eix mail-mta/postfix
> > [I] mail-mta/postfix
> >      Available versions:  2.6.5 ~2.6.6 {cdb dovecot-sasl hardened
> > ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda}
> >      Installed versions:  2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl
> > -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres
> > -selinux -vda)
> >      Homepage:            http://www.postfix.org/
> >      Description:         A fast and secure drop-in replacement for
> > sendmail.
> 
> If I alter thunderbird to not use secure authentication, I get the
> following instead.
> 
> > May 27 17:14:26 ken postfix/smtpd[20115]: connect from
> > ur.shic.co.uk[10.0.1.253]
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
> > authentication problem: unknown password verifier
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
> > authentication failure: Password verification failed
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no
> > mechanism available
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
> > authentication problem: unknown password verifier
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no
> > mechanism available
> 
> Which seems quite strange.
> 
> My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains
> the single config line:
> 
> > pwcheck_method:pam
> 
> I don't care if I use PAM or something else - as long as it lets me
> authenticate.  In the medium term, it would be best if neither IMAP
> nor SMTP passwords had any relation to my system password (not that I
> allow remote logins unsing it) - but, for the time being, I just want
> it to let me authenticate and send from my phone.
> 
> By any chance can anyone give me any further clues?
> 

You mentioned in your first mail that you use Dovecot. The easiest way
to setup SASL for Postfix is to have Postfix authenticate against
Dovecot, assuming that you want the same usernames and passwords for
both. Recompile mail-mta/postfix with the dovecot-sasl USE flag enabled.
Then, add the following to Postfix's configuration file after
commenting/removing the other SASL lines:

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Then, in dovecot's configuration file, add the following to the "auth
default" section:

socket listen {
   client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
   }
}

Adjust the path, user, and group as appropriate. The user and group
should be set to whatever user postfix is running under. Note that
private/auth in the path corresponds to the smtpd_sasl_path setting in
Postfix. Restart Dovecot and then Postfix.

I also recommend adding the following option to main.cf if your clients
support TLS encryption, which will not allow authentication over
unencrypted connections:

smtpd_tls_auth_only = yes

See http://www.postfix.org/SASL_README.html for other SASL mechanisms,
if you do not use or do not want to use Dovecot.

Regards,

Brandon Vargo

Re: [gentoo-user] Postfix question about auth and blocklists...

[Tanstaafl]

On 2010-05-27 1:06 PM, Brandon Vargo wrote:
> You mentioned in your first mail that you use Dovecot. The easiest
> way to setup SASL for Postfix is to have Postfix authenticate
> against Dovecot,

+1, with one caveat - it doesn't work in client mode, only server mode...

> I also recommend adding the following option to main.cf if your
> clients support TLS encryption, which will not allow authentication
> over unencrypted connections:
> 
> smtpd_tls_auth_only = yes

This is deprecated...

Ror the submission port you should use:

smtpd_tls_security_level = encrypt

and for opportunistic TLS on port 25:

smtpd_tls_security_level = may

Re: [gentoo-user] Postfix question about auth and blocklists...

[Tanstaafl]

On 2010-05-26 3:32 PM, Brandon Vargo wrote:
> On Wed, 2010-05-26 at 15:40 +0100, Steve wrote:
>> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed
>> some howto or other, quite a long time ago, I have this section at the
>> end of my main.cf:

<snip>
>> The problem arises elsewhere... where I'm not connected to my local
>> (W)LAN (i.e. where I'm not in "permit_mynetworks") - where the
>> phone reports:

Whether or not your client is in mynetwroks is irrelevant, if you are
sasl_authenticating.

>> The server returned the following error message:
>>
>> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using
>> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170
>> --
>>
>> The block comes as no surprise as 149.254.48.170 isn't exclusively under
>> my control

Irrelevant...

>> So... the questions:
>>
>> * How can I alter the configuration  to process email from blocked
>> locations if and only if the client authenticates?
>> * How can I verify that SMTP auth has been done (when connecting from my
>> LAN) - it would be a disaster if I inadvertently created an open relay. 
>> (I don't think I have - but better safe than sorry, etc.)
>>
>> Thanks in advance for any replies...

> You want to split your rules between smtpd_recipient_restrictions,
> smtpd_sender_restrictions, and smtpd_client_restrictions.

Absolutely not necessary. In most cases - as long as the default (yes)
for smtpd_delay_reject hasn't been changed - it is perfectly fine to
have all restrictions under smtpd_recipient_restrictions - and in fact
it is desirable because it is easier to maintain.

The problem is that you are *not* sasl_authenticating - if you were,
then you would not have hit that restriction.

We need two things - output of postconf -n on your server, and a log
snippet of a rejected send attempt.

Also, contents of master.cf - are you using port 25, or the submission
port (587)? You should always use the submission port if you aren't now.

Charles