OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Adrian Bolzan (Adrian.Bolzanaot.com.au)
Date: Mon Mar 25 2002 - 22:58:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    We are setting up postfix to use SASL for authenticated SMTP.
    We used postfix version 1.1 Patchlevel 5, and used cyrus-sasl rpms
    from RedHat 7.2 (v. 1.5.24-20). All authentication methods that we want
    are shown and SASL authentication seems to work.

    I was testing our set up and found that when no authentication was
    specified in the mail client (in this case, Pegasus v4.1) the postfix server
    still relayed mail, although if the authentication option was specified but
    the wrong username or password was given then the mail was not
    relayed.

    A stripped down 'postconf -n' showing the SASL sections is below:
      
    ---------
    # smtpd_delay_reject=yes is default but specifying, anyway
    smtpd_delay_reject=yes
    smtpd_client_restrictions = permit_sasl_authenticated

    smtpd_recipient_restrictions = permit_mynetworks \
          permit_sasl_authenticated check_relay_domains

    broken_sasl_auth_clients = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noplaintext noanonymous

    ---------

    What we want is:

    Action 1. Postfix to accept mail sent from outside to domains it hosts
    (relay_domains)

    Action 2. Allow all users on the network to send mail via the postfix
    server (mynetworks)

    Action 3. allow mobile users, dialling in to various ISP's to use postfix as
    their mail relay (SASL authentication), and for postfix to relay their mail
    to external (not hosted domains) and to accept mail from the users to
    domains in relay_domains.

    Action 4. Not allow postfix to be an open relay for everyone everywhere

    To this end I modified the above postfix options:
    smtpd_client_restrictions = permit_sasl_authenticated reject

    This blocked all access to ppostfix from everywhere except
    authenticated users, hence not performing Action 1.

    I then changed it to:
    smtpd_client_restrictions = permit_sasl_authenticated \
       permit_mynetworks reject

    This allowed mail to be sent to <user>[ip_address_in_mynetworks]. I
    could not test sending mail to a proper domain in relay_domains
    because I cannot modify the DNS zonefiles at the moment, however, I
    think that the following setting woul dalso work:

    smtpd_client_restrictions = permit_sasl_authenticated \
       check_relay_domains reject

    I found that:
    smtpd_recipient_restrictions = permit_mynetworks \
       permit_sasl_authenticated check_relay_domains reject
    did not help much.

    My question is whether this is the right/best way to perform the four
    Actions mentioned above?

    Should I use:
    smtpd_sender_restrictions = permit_mynetworks \
        permit_sasl_authenticated check_relay_domains reject
    instead?

    Thanks for any help,

    Adrian

    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users