My Postfix hell

slakam · 2014-05-16 20:36:33

Hello,

I've got a box that acts as the mail server for several domains. Admittedly it wasn't very secure so recently it started relaying spam coming from China. In order to stop this I'm trying to get SASL authentication working but it's being next to impossible. Here are the main problems.

- I'm unable to authenticate my legit accounts to the server.
- Even when the SASL is active it doesn't seem to be enforced. I can still see spam being relayed in the logs.

I followed this guide originally to set the server up, and then this and this for SASL.

No joy at all so far. Here's my configs:

/etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/bin

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = foo.com

inet_interfaces = [public], [lan], localhost

unknown_local_recipient_reject_code = 550

mynetworks = [vpn], [lan], localhost

alias_maps = hash:/etc/postfix/aliases

alias_database = $alias_maps

debug_peer_level = 2

debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/bin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /etc/postfix/sample

readme_directory = /usr/share/doc/postfix

inet_protocols = ipv4

virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
transport_maps = hash:/etc/postfix/transport

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_sasl_local_domain = $mydomain

broken_sasl_auth_clients = no
smtpd_tls_loglevel = 1
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100

smtpd_helo_required     = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes

unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

/etc/postfix/master.cf

smtp      inet  n       -       n       -       -       smtpd

submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated

pickup    unix  n       -       n       60      1       pickup

cleanup   unix  n       -       -       -       0       cleanup

subcleanup unix n       -       -       -       0       cleanup
 -o header_checks=regexp:/etc/postfix/submission_header_checks

qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

/etc/dovecot/dovecot.conf

protocols = imap

listen = [lan]

dict {
}

!include conf.d/*.conf

!include_try local.conf

auth_mechanisms = plain

passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}

service auth {
    unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0660
        user = postfix
    }
}

mail_home = /home/vmail/%d/%u
mail_location = maildir:~

ssl_cert = </etc/ssl/private/server.crt
ssl_key = </etc/ssl/private/server.key

Thanks for reading. Any help will be much appreciated!

jasonwryan · 2014-05-16 22:22:21

Please edit your post and choose a title that accurately reflects your issue (the current one is useless):
https://wiki.archlinux.org/index.php/Fo … ow_to_Post

Moving to Networking...

rune0077 · 2014-05-18 19:04:28

Quick question: are you actually running saslauthd?

you need to install it (cyrus-sasl) and then run the daemon.

madeye · 2014-05-18 19:21:53

I used the guide from https://workaround.org/ispmail/wheezy to setup my server, and it's running fairly well. In the guide there are also steps howto check your server access with telnet. That helped me find problems in my setup.
There are alot of attempts to break into my server, but using spamcop and some other settings it's been safe for now.

I have quite some more restrictions in my setup. Please see the following:

# Client restrictions
smtpd_client_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_rbl_client zen.spamhaus.org
  check_client_access hash:/etc/postfix/client_access
  reject_unauth_pipelining
  reject_unknown_client_hostname
  permit

# HELO restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_non_fqdn_hostname
  reject_invalid_helo_hostname
  reject_unknown_helo_hostname
  reject_non_fqdn_helo_hostname
  permit

# Sender restrictions
smtpd_sender_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  check_sender_access hash:/etc/postfix/sender_access
  reject_non_fqdn_sender
  reject_non_fqdn_hostname
  reject_unknown_sender_domain
  reject_unauth_pipelining
  permit

# Recipient restrictions
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_rbl_client zen.spamhaus.org
  check_recipient_access hash:/etc/postfix/recipient_access
  check_policy_service inet:127.0.0.1:10030
  reject_non_fqdn_recipient
  reject_unauth_destination
  permit

Last edited by madeye (2014-05-18 19:22:27)

Arch Linux

#1 2014-05-16 20:36:33

My Postfix hell

#2 2014-05-16 22:22:21

Re: My Postfix hell

#3 2014-05-18 19:04:28

Re: My Postfix hell

#4 2014-05-18 19:21:53

Re: My Postfix hell

Board footer