From aa52f52d02c39826e2c5990901b111e5f18049c0 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 30 Nov 2018 09:49:00 -0500 Subject: [PATCH] disable SMTP AUTH on port 25 to stop it accidentally being used for submission fixes #830 --- setup/mail-postfix.sh | 3 +++ setup/mail-users.sh | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index c3183ef..0c9bc97 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -73,6 +73,8 @@ tools/editconf.py /etc/postfix/main.cf \ # Enable the 'submission' port 587 smtpd server and tweak its settings. # +# * Enable authentication. It's disabled globally so that it is disabled on port 25, +# so we need to explicitly enable it here. # * Do not add the OpenDMAC Authentication-Results header. That should only be added # on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the # OpenDKIM milter only. See dkim.sh. @@ -87,6 +89,7 @@ tools/editconf.py /etc/postfix/main.cf \ # emails but we turn this off by setting nested_header_checks empty. tools/editconf.py /etc/postfix/master.cf -s -w \ "submission=inet n - - - - smtpd + -o smtpd_sasl_auth_enable=yes -o syslog_name=postfix/submission -o smtpd_milters=inet:127.0.0.1:8891 -o smtpd_tls_security_level=encrypt diff --git a/setup/mail-users.sh b/setup/mail-users.sh index ef9b811..e54485b 100755 --- a/setup/mail-users.sh +++ b/setup/mail-users.sh @@ -65,11 +65,15 @@ service auth { } EOF -# And have Postfix use that service. +# And have Postfix use that service. We *disable* it here +# so that authentication is not permitted on port 25 (which +# does not run DKIM on relayed mail, so outbound mail isn't +# correct, see #830), but we enable it specifically for the +# submission port. tools/editconf.py /etc/postfix/main.cf \ smtpd_sasl_type=dovecot \ smtpd_sasl_path=private/auth \ - smtpd_sasl_auth_enable=yes + smtpd_sasl_auth_enable=no # ### Sender Validation