Enhancement #2422
Apply submission whitelist to smtpd port 25
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-server | |||
Target version: | v6.5-beta3 | |||
Resolution: | NEEDINFO: | No |
Description
When prop postfix/SubmissionPolicyType
is "legacy" the submission whitelist must be applied also to connections to port 25.
Some very old configurations are open relays to clients from the green network.
Related issues
Associated revisions
Enforce whitelisting on port 25 on "legacy" submission policy. Refs #2422
If the client IP address is listed in
/etc/postfix/submission_whitelist helo and recipient checks are
skipped on both submission (587, 465) and SMTP (25) ports.
This makes the "legacy" policy compatible with old setups (from
migrations).
History
#1 Updated by Davide Principi over 7 years ago
- Description updated (diff)
#2 Updated by Davide Principi over 7 years ago
- Description updated (diff)
#3 Updated by Davide Principi over 7 years ago
- Description updated (diff)
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
This fragment from custom template /etc/e-smith/templates-custom/etc/postfix/main.cf/41submission_whitelist_port25
unconditionally applies submission whitelist on port 25. It can be a starting point:
{ # # Apply submission whitelist on port 25 # @smtpd_helo_restrictions = ('check_client_access hash:/etc/postfix/submission_whitelist', @smtpd_helo_restrictions); @smtpd_recipient_restrictions = ('check_client_access hash:/etc/postfix/submission_whitelist', @smtpd_recipient_restrictions); ''; }
More infos about how to configure the whitelist are on nethserver-mail-server page.
#4 Updated by Davide Principi over 7 years ago
Davide Principi wrote:
Some very old configurations are open relays to clients from the green network.
Note that amavisd
scans all traffic on port 25
and "mail disclaimer" works only on submission ports.
#5 Updated by Davide Principi over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#6 Updated by Davide Principi over 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
- Install the current
nethserver-mail
group - Install
nethserver-mail-dev
package - Whitelist an IP address (from nethserver-mail-server docs):
# mkdir -p /etc/e-smith/templates-custom/etc/postfix/submission_whitelist # echo "192.168.123.4 OK" >> /etc/e-smith/templates-custom/etc/postfix/submission_whitelist/10custom_whitelist # config setprop postfix SubmissionPolicyType legacy # signal-event nethserver-mail-common-save
The following command should NOT work:
# smtptest --from internal@domain.tld --addr 192.168.123.4 --subject test1 --to external@example.com 5.7.1 <external@example.com>: Relay access denied
Now update to modified version. The command must succeed and the message delivered to external@example.com
.
#7 Updated by Davide Principi over 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-mail-server-1.5.0-16.0gitf582a754.ns6.noarch.rpm
#8 Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Giacomo Sanchietti
#9 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
Sending message with default policy:
[root@localhost ~]# smtptest --from davidem@nethesis.org --subject test1 --to giacomo@nethesis.it 5.7.1 <giacomo@nethesis.it>: Relay access denied
Enabling legacy
policy:
[root@localhost ~]# echo "192.168.5.246 OK" >> /etc/e-smith/templates-custom/etc/postfix/submission_whitelist/10custom_whitelist [root@localhost ~]# config setprop postfix SubmissionPolicyType legacy [root@localhost ~]# signal-event nethserver-mail-server-update [root@localhost ~]# nc -C 192.168.5.246 25 220 test.stronzolo.loc ESMTP Postfix ehlo nethesis.it 250-test.stronzolo.loc 250-PIPELINING 250-SIZE 1000000000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: <davidepm@nethesis.org> 250 2.1.0 Ok rcpt to: <giacomo@nethesis.it> 250 2.1.5 Ok maillog: Feb 3 15:52:10 test dovecot: master: Dovecot v2.1.16 starting up (core dumps disabled) Feb 3 15:52:21 test postfix/smtpd[21271]: connect from localhost[127.0.0.1] Feb 3 15:52:21 test postfix/smtpd[21271]: 3716D425BE: client=localhost.localdomain[127.0.0.1] Feb 3 15:52:21 test postfix/cleanup[21275]: 3716D425BE: message-id=<20140203145221.3716D425BE@test.stronzolo.loc> Feb 3 15:52:21 test postfix/qmgr[21239]: 3716D425BE: from=<davidem@nethesis.org>, size=576, nrcpt=1 (queue active) Feb 3 15:52:21 test postfix/smtpd[21271]: disconnect from localhost.localdomain[127.0.0.1] Feb 3 15:52:22 test postfix/smtp[21276]: 3716D425BE: to=<giacomo@nethesis.it>, relay=smtp.nethesis.it[192.168.5.252]:25, delay=1.2, delays=0.06/0.01/0.04/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49D578C070A) Feb 3 15:52:22 test postfix/qmgr[21239]: 3716D425BE: removed
Message is delivered.
Marking as VERIFIED.
#10 Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver/6.5/base
repository.