[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Postfix question



> >>Is it possible to set up postfix in the following way,
> >>so that it would permit sending mail with
> >>unathorized access from internal private network,
> >>and at the same time serve as secured password-authorized
> >>SMTP to external public network
> >>
> >>in other words: if i would like to send mail from internal netwrok,
> >>i just specify my server as usual SMPT without auth,
> >>and if i want to use it from outside, i configure my mail client
> >>to use it with SSL enabled and with user/password auth.
> >>
> >>Any ideas will be highly welcomed!
> >
> >
> > Create another instance of Postfix, which handles the un-authenticated
> > mail for the LAN.
> > http://advosys.ca/papers/postfix-instance.html
>
> Kanons on birds ;) it's not needed to have two instances:
> setup sasl to do the auth stuff for external users, set:
> mynetworks = 10.0.0.0/24, 127.0.0.0/8
>
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> permit_sasl_authenticated,
> check_relay_domains
>
> And you'll get what you need.
>
> (thats just a example, you need the order of permit_mynetworks
> and sasl_authenticated to get what you want)
>
> Of course you have to setup sasl to do that.

Remark: This is only for you, if you don't know how to setup ssl/tls on
postfix.

That's not all, you have to enable ssl/tls on postfix (no second instance).

Don't foget to make backups of your config, if something runs wrong!!!

You have to edit main.cf and add this extra options (you can find this in
the documentation of postfix in the exapmleconfig).
Don't forget to make ssl-certivicates for the server (server.crt,
server.pem, server.key, tls: 1024 & 512 bit dh_1024.pem, dh_512.pem)!

<main.cf>

# SSL/TLS - stuff
smtpd_tls_cert_file = /etc/postfix/cert/server.crt
smtpd_tls_key_file = /etc/postfix/cert/server.key
smtpd_tls_CApath = /etc/postfix/certs
smtpd_use_tls = yes
#smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtp_tls_cert_file = /etc/postfix/cert/server.crt
smtp_tls_key_file = /etc/postfix/cert/server.key
smtp_tls_loglevel = 0
#smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
smtp_use_tls = yes
#smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_tls_note_starttls_offer = yes
tls_random_source = egd:/var/run/egd-pool
tls_daemon_random_source = egd:/var/run/egd-pool

</main.cf>

And uncheck the following options in master.cf:

<master.cf>

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
submission      inet    n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

</master.cf>

After that make a /etc/init.d/postfix restart!

Philippe

P.S.: Postfix is powerful and hast much more functions, that not everybody
know. There are enough acl's and unspecified options and the
"http://advosys.ca/papers/postfix-instance.html"; solution is not that good
idea!



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here