From: Brian Carroll (BCarrollsecurenetdesigns.com)
Date: Wed Mar 05 2008 - 02:30:24 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: owner-postfix-userspostfix.org [mailto:owner-postfix-
> userspostfix.org] On Behalf Of Victor Duchovni
> Sent: Tuesday, March 04, 2008 11:24 PM
> To: postfix-userspostfix.org
> Subject: Re: 554 Client host rejected Access denied
>
> On Tue, Mar 04, 2008 at 10:49:34PM -0500, Brian Carroll wrote:
>
> > smtp inet n - y - - smtpd
> > -o cleanup_service_name=pre-cleanup
> > 465 inet n - y - - smtpd
> > -o cleanup_service_name=pre-cleanup
> > smtps inet n - y - - smtpd
> > -o smtpd_tls_wrappermode=yes
> > -o smtpd_sasl_auth_enable=yes
> > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > -o cleanup_service_name=pre-cleanup
>
> The "smtps" service is by default port 465 in most /etc/services
files,
> does yours differ? This Postfix configuration should not start because
> master is unable to rebind the "smtps" port already used by the "465"
> service.

They are exactly as you fear and yet it runs like a champ. I don't
pretend to know why though...

This is what is generated in /var/log/maillog upon a restart:

Mar 5 01:30:08 mail postfix/postfix-script: stopping the Postfix mail
system
Mar 5 01:30:08 mail postfix/master[25970]: terminating on signal 15
Mar 5 01:30:08 mail sendmail[26033]: alias database /etc/aliases
rebuilt by root
Mar 5 01:30:08 mail sendmail[26033]: /etc/aliases: 78 aliases, longest
19 bytes, 802 bytes total
Mar 5 01:30:09 mail postfix/postfix-script: starting the Postfix mail
system
Mar 5 01:30:09 mail postfix/master[26119]: daemon started -- version
2.3.3, configuration /etc/postfix

That's it...it stops...it starts...the next line is someone being
rejected for no FQDN in their helo. The whole restart takes a nominal 1
second.

>
> This said, if "smtps" is NOT port 465 on your machine, and the sender
> is connecting to the smtps port and not using SASL auth, you would
> get the log message you report.

My firewall logs show exactly that. They are connecting on 465 and
cannot auth as they are just a remote sender with mail for one of my
domains. They have no creds to auth with.

I use that port for clients too though...for example, there is a
seminary that cannot seem to connect on port 25 and so they connect on
465/SMTPS with their Outlook clients. If I just remove the restriction
will that affect them any? I would leave the 'smtpd_tls_wrappermode' and
'smtpd_sasl_auth_enable' lines as is, correct?

Also, looking at that makes me see the difference between the 'smtps'
config and the 'smtp' config in master.cf. Why does the 'smtps' seem to
need the 'smtpd_sasl_auth_enable' line and 'smtp' does not? I know you
can connect to the server on port 25 and login to relay your mail, but
it has no 'smtpd_sasl_auth_enable' statement. Is it a hard coded thing?

Also, there's nothing in my proposed solution that would make me an open
relay, is there? I don't see why it would but obviously I am not the
postfix guru here so I better ask :-)

>
> You are also using chroot jails for your smtpd(8) daemons, this is an
> advanced setting, not recommended for most users not prepare to
trouble
> shoot any resulting issues (this one is not a chroot problem).

I used the script that comes with postfix to set up the chroot jail. I
did have to put the SQL-related cf files and the Dovecot auth socket in
the jail for postfix to find them but other than that it's been solid.

You da man Viktor. Thanks for the help!
[Brian Carroll]
Regards,

Brian Carroll

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]