Enhancement #2422

Apply submission whitelist to smtpd port 25

Added by Davide Principi over 7 years ago. Updated over 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-server
Target version:v6.5-beta3
Resolution: NEEDINFO:No

Description

When prop postfix/SubmissionPolicyType is "legacy" the submission whitelist must be applied also to connections to port 25.

Some very old configurations are open relays to clients from the green network.


Related issues

Related to NethServer 6 - Feature #1436: SMTPAUTH bypass whitelist for trusted clients CLOSED 09/11/2012 09/12/2012

Associated revisions

Revision f582a754
Added by Davide Principi over 7 years ago

Enforce whitelisting on port 25 on "legacy" submission policy. Refs #2422

If the client IP address is listed in
/etc/postfix/submission_whitelist helo and recipient checks are
skipped on both submission (587, 465) and SMTP (25) ports.

This makes the "legacy" policy compatible with old setups (from
migrations).

History

#1 Updated by Davide Principi over 7 years ago

  • Description updated (diff)

#2 Updated by Davide Principi over 7 years ago

  • Description updated (diff)

#3 Updated by Davide Principi over 7 years ago

  • Description updated (diff)
  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

This fragment from custom template /etc/e-smith/templates-custom/etc/postfix/main.cf/41submission_whitelist_port25 unconditionally applies submission whitelist on port 25. It can be a starting point:

{
   #
   #  Apply submission whitelist on port 25
   #

   @smtpd_helo_restrictions = ('check_client_access hash:/etc/postfix/submission_whitelist', @smtpd_helo_restrictions);
   @smtpd_recipient_restrictions = ('check_client_access hash:/etc/postfix/submission_whitelist', @smtpd_recipient_restrictions);
   '';
}

More infos about how to configure the whitelist are on nethserver-mail-server page.

#4 Updated by Davide Principi over 7 years ago

Davide Principi wrote:

Some very old configurations are open relays to clients from the green network.

Note that amavisd scans all traffic on port 25 and "mail disclaimer" works only on submission ports.

#5 Updated by Davide Principi over 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#6 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

  1. Install the current nethserver-mail group
  2. Install nethserver-mail-dev package
  3. Whitelist an IP address (from nethserver-mail-server docs):
       # mkdir -p /etc/e-smith/templates-custom/etc/postfix/submission_whitelist
       # echo "192.168.123.4 OK" >> /etc/e-smith/templates-custom/etc/postfix/submission_whitelist/10custom_whitelist
       # config setprop postfix SubmissionPolicyType legacy
       # signal-event nethserver-mail-common-save
    

The following command should NOT work:

   # smtptest  --from internal@domain.tld --addr 192.168.123.4 --subject test1 --to external@example.com
5.7.1 <external@example.com>: Relay access denied

Now update to modified version. The command must succeed and the message delivered to external@example.com.

#7 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-mail-server-1.5.0-16.0gitf582a754.ns6.noarch.rpm

#8 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee set to Giacomo Sanchietti

#9 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

Sending message with default policy:


[root@localhost ~]# smtptest  --from davidem@nethesis.org --subject test1 --to giacomo@nethesis.it
5.7.1 <giacomo@nethesis.it>: Relay access denied

Enabling legacy policy:

[root@localhost ~]#  echo "192.168.5.246 OK" >> /etc/e-smith/templates-custom/etc/postfix/submission_whitelist/10custom_whitelist
[root@localhost ~]# config setprop postfix SubmissionPolicyType legacy
[root@localhost ~]# signal-event nethserver-mail-server-update

[root@localhost ~]# nc -C 192.168.5.246 25
220 test.stronzolo.loc ESMTP Postfix
ehlo nethesis.it
250-test.stronzolo.loc
250-PIPELINING
250-SIZE 1000000000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <davidepm@nethesis.org>
250 2.1.0 Ok
rcpt to: <giacomo@nethesis.it>
250 2.1.5 Ok

maillog: 

Feb  3 15:52:10 test dovecot: master: Dovecot v2.1.16 starting up (core dumps disabled)
Feb  3 15:52:21 test postfix/smtpd[21271]: connect from localhost[127.0.0.1]
Feb  3 15:52:21 test postfix/smtpd[21271]: 3716D425BE: client=localhost.localdomain[127.0.0.1]
Feb  3 15:52:21 test postfix/cleanup[21275]: 3716D425BE: message-id=<20140203145221.3716D425BE@test.stronzolo.loc>
Feb  3 15:52:21 test postfix/qmgr[21239]: 3716D425BE: from=<davidem@nethesis.org>, size=576, nrcpt=1 (queue active)
Feb  3 15:52:21 test postfix/smtpd[21271]: disconnect from localhost.localdomain[127.0.0.1]
Feb  3 15:52:22 test postfix/smtp[21276]: 3716D425BE: to=<giacomo@nethesis.it>, relay=smtp.nethesis.it[192.168.5.252]:25, delay=1.2, delays=0.06/0.01/0.04/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49D578C070A)
Feb  3 15:52:22 test postfix/qmgr[21239]: 3716D425BE: removed

Message is delivered.

Marking as VERIFIED.

#10 Updated by Davide Principi over 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Released in nethserver/6.5/base repository.

Also available in: Atom PDF