OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: 1 Postfix on 2 Ports with different configs

From: Istvan Sebestyen (istvanchains.ch)
Date: Mon Nov 03 2003 - 05:21:37 CST

Hi all!

I just solved my problem and wanted to do a "report", so if somebody has
the same problem, he can read this posting.

The situation was the following:
A friend asked me, if I can give him access to relay, because his own smtp
server cannot establish a connection with another smtp server from
abroad. I guess this is filtered by his ISP. So I said him, that I'm
gonna give him relay, but only with TLS+SASL.

Then I wanted to configure postfix that the smtpd process is accepting
connections on port 2025, too, since that isn't filtered by his ISP. I
thought it'd be nice, if my friend would be able to send mails over the
port 2025 only over STARTTLS and authentication done by sasl.

I configured postfix to use tls and sasl and put some options for this
to the main.cf file:

# TLS Settings
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/newreq.pem
smtpd_tls_cert_file = /etc/postfix/certs/newcert.pem
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = 300s
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes

# SASL Settings
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous

# Give access to relay
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated # <---- IMPORTANT
        check_recipient_access
                [...]

Since these are the default options now for the smtpd and I don't want
that clients are able to authenticate over port 25, I edited my
master.cf file:

smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=no -o smtpd_use_tls=no
2025 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_auth_only=yes

I restarted postfix and it worked. On port 25 Postfix doesn't offer me
neither STARTTLS nor AUTH:

osiris:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.chains.ch ESMTP
EHLO localhost
250-chains.ch
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-XVERP
250 8BITMIME

And on port 2025 TLS and AUTH were offered:
(I've done this with openssl, since smtpd_enforce_tls is enabled and I
 wont get offered AUTH in an unencrypted session)

osiris:~# openssl s_client -starttls smtp -connect localhost:2025
[...]
220 mail.chains.ch ESMTP
EHLO localhost
250-chains.ch
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5
250-XVERP
250 8BITMIME

(NOTE: STARTTLS isn't offered since I established already a secure
 conection through openssl)

I hope this is useful to somebody.

Anyway. Postfix rulez! :-)

Regards
--
       (O O)
--oooO--(_)--Oooo----------------------------------------------------

Istvan Sebestyen <istvanchains.ch>
---------------------------------------------------------------------
You can't go home again, unless you set $HOME.