Page 1 of 1

Disable Auth in port 25 (Not MUA)

Posted: Wed Jul 26, 2017 10:25 am
by ImNotET
Good day,

I want disable the user authentication in the port 25, we want use only 465 or 587 for MUA, i saw example like:

smtp inet n - - - - smtpd
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=no

smtps inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

but in the master.cf.in we have this with postscreen:

smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
smtpd pass - - n - - smtpd
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%

How we can modify this for only use the port 25 for comunication with other servers and not MUA's?

Thank you very much!

Best Regards

Re: Disable Auth in port 25 (Not MUA)

Posted: Thu Jul 27, 2017 8:07 am
by DualBoot
hello,

add the option

Code: Select all

-o smtpd_sasl_auth_enable=no
to the following line :

Code: Select all

smtpd     pass  -       -       n       -       -       smtpd
    -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%


Regards,

Re: Disable Auth in port 25 (Not MUA)

Posted: Thu Aug 15, 2019 5:48 pm
by juan_urtiaga
Hello,

I have Zimbra 8.8.12_GA_3794.RHEL6_64_20190329045002 and like @ImNotET want to use port 25 for only for incoming and outgoing mails.
And ports 465/587 for smtps and submission services to allow clients to authenticate and forward mails.

I tried the configuration suggested by @DualBoot but the smtpd service is still allowing to authenticate en sendmails over 25 port.

@ImNotET could you confirm that configuration worked for you ?

Regards,
Juan


===================================== /mailog after changing configuration

Aug 14 19:45:17 proxymail postfix/postscreen[3441]: CONNECT from [192.168.1.66]:55909 to [192.168.90.107]:25
Aug 14 19:45:17 proxymail postfix/postscreen[3441]: PASS OLD [192.168.1.66]:55909
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: connect from unknown[192.168.1.66]
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: Anonymous TLS connection established from unknown[192.168.1.66]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: NOQUEUE: filter: RCPT from unknown[192.168.1.66]: <juan@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ju rtiaga@tilsor.com.uy> to=<vicky@domain.com> proto=ESMTP helo=<[192.168.1.66]>
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: NOQUEUE: filter: RCPT from unknown[192.168.1.66]: <juan@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ju rtiaga@tilsor.com.uy> to=<vicky@domain.com> proto=ESMTP helo=<[192.168.1.66]>
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: EAB8A80D2A: client=unknown[192.168.1.66]
Aug 14 19:45:27 proxymail postfix/cleanup[3450]: EAB8A80D2A: message-id=<47e12b39-2a30-d619-562f-a48692b50140@tilsor.com.uy>
Aug 14 19:45:27 proxymail postfix/qmgr[907]: EAB8A80D2A: from=<juan@domain.com>, size=673, nrcpt=1 (queue active)
Aug 14 19:45:28 proxymail postfix/smtpd[3442]: disconnect from unknown[192.168.1.66] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 14 19:45:28 proxymail postfix/amavisd/smtpd[3454]: connect from localhost[127.0.0.1]
Aug 14 19:45:28 proxymail postfix/amavisd/smtpd[3454]: 2116D80D47: client=localhost[127.0.0.1]
Aug 14 19:45:28 proxymail postfix/cleanup[3450]: 2116D80D47: message-id=<47e12b39-2a30-d619-562f-a48692b50140@tilsor.com.uy>
Aug 14 19:45:28 proxymail postfix/qmgr[907]: 2116D80D47: from=<juan@domain.com>, size=1281, nrcpt=1 (queue active)
Aug 14 19:45:28 proxymail postfix/smtp[3452]: EAB8A80D2A: to=<vicky@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.31, delays=0.12/0.01/0.01/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2116D80D47)
Aug 14 19:45:28 proxymail postfix/qmgr[907]: EAB8A80D2A: removed
Aug 14 19:45:28 proxymail postfix/lmtp[3455]: 2116D80D47: to=<vicky@domain.com>, relay=mail.tilsor.com.uy[192.168.90.108]:7025, delay=0.4, delays=0.03/0.03/0.1/0.25, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Aug 14 19:45:28 proxymail postfix/qmgr[907]: 2116D80D47: removed





=================================/opt/zimbra/common/conf/master.cf.in file:
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
smtpd pass - - n - - smtpd
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
-o smtpd_sasl_auth_enable=no
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
465 inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
%%uncomment LOCAL:postfix_submission_smtpd_tls_key_file%% -o smtpd_tls_key_file=@@postfix_submission_smtpd_tls_key_file@@
%%uncomment LOCAL:postfix_submission_smtpd_tls_cert_file%% -o smtpd_tls_cert_file=@@postfix_submission_smtpd_tls_cert_file@@
-o smtpd_client_restrictions=
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/smtps
-o milter_macro_daemon_name=ORIGINATING
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
submission inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
%%uncomment LOCAL:postfix_submission_smtpd_tls_key_file%% -o smtpd_tls_key_file=@@postfix_submission_smtpd_tls_key_file@@
%%uncomment LOCAL:postfix_submission_smtpd_tls_cert_file%% -o smtpd_tls_cert_file=@@postfix_submission_smtpd_tls_cert_file@@
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submission
-o milter_macro_daemon_name=ORIGINATING
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust

Re: Disable Auth in port 25 (Not MUA)

Posted: Fri Aug 16, 2019 1:21 am
by L. Mark Stone
Juan,

Zimbra by default on Port 25 does no authentication, and will accept email only for domains Zimbra is hosting. Otherwise, Zimbra would be an open relay.

Zimbra by default on Ports 465/587 requires authentication, and if authentication is successful will accept email for any destination, whether hosted within Zimbra or elsewhere.

Help me to understand what you need to change and why?

All the best,
Mark

Re: Disable Auth in port 25 (Not MUA)

Posted: Fri Aug 16, 2019 3:15 pm
by juan_urtiaga
Hi Mark!

Thank you for your answer.

Ok, the basic problem is we have malicious attempts of autentication at port 25.
It seems like bots are trying to send mails from our true accounts, after a cuple of attemps the accounts get locked in my LDAP server (out of zimbra).

So under this circuntances , considerating that the malicios attemps are throw port 25, one easy solution may be disable authentication (I guess sasl) at port 25.
Clients should use only ports 587 and 465 to send mails, actually I thing 99% already do it.

Thinking about you comments, as far as I remember since I installed Zimbra 8.0 we were able to send mails athenticated using port 25 from any network. Now we have 8.8.12 with the same bahaviour.

Regards,
Juan

Re: Disable Auth in port 25 (Not MUA)

Posted: Fri Aug 16, 2019 4:42 pm
by phoenix
Search the forums (and the internet) for fail2ban and read-up on how to use that.

Re: Disable Auth in port 25 (Not MUA)

Posted: Fri Aug 16, 2019 5:15 pm
by L. Mark Stone
Bill is spot on that fail2ban can do the job just fine on a single server; it's more complex in a multi-server environment, which is why I like the IP address banning capability in Zimbra's DoSFilter.

The trick to keep legitimate users happy is to have DoSFilter (or fail2ban) block IP addresses before the bad guy locks the mailbox. I wrote a blog post on this:

https://www.missioncriticalemail.com/20 ... -together/

Either way, it's generally safer to use fail2ban or DoSFilter than to go customizing Zimbra's default MTA configs. Many such customizations won't survive Zimbra upgrades nor some patches.

All the best,
Mark

Re: Disable Auth in port 25 (Not MUA)

Posted: Mon Aug 19, 2019 6:17 pm
by juan_urtiaga
Mark, Phoenix:

Thanks again for your time.

I´ve already deployed fail2ban in the MTA host but not all the attacks are filtered.
And yes, modifing the postfix files is not a good practise, actually I´ve lost the configuration in the last update.

Finally I will try to tune the fail2ban to reduce the account blocks.

Regards
Juan