trying to restrict postfix use of port
 

On Thu, 21 Jan 2010 13:11:58 +0000, Adam Hardy wrote:

> Camaleón on 21/01/10 12:29, wrote:

>> Didn't you say this?
>>
>> ***
>> It should listen like this (or all hell breaks loose on their server
>> farm):
>>
>> tcp 0 0 10.20.30.40:25 0.0.0.0:*
>> LISTEN ***
>>
>> So if that remains true, you do need to open port 25 "locally" and bind
>> Postfix to listen in that IP.
>>
>> But opening a port "locally" does not mean your SMTP server can be used
>> from remote, in fact it cannot unless:
>>
>> a) The router (frame relay, xdsl line...) of your ISP/hosting provider
>> is actually forwarding the requests to port 25 to your machine (by
>> using NAT or iptables).
>
> Yes I did say I wanted postfix to listen on 10.20.30.40:25 but that was
> while I was still trying to work out the basic configuration. Now that I
> am happy that I know why postfix is doing something and that it works, I
> would like to know whether I can completely close port 25.

Mmm... okay, let's paint the big picture (please, correct me if I'm
wrong) :-)

- You need to be notified by e-mail (remote account) about crontab tasks.

- You do not need a remote e-mail server neither a local e-mail server.
Only the host running crontab will be allowed to send e-emails from the
MTA (postfix, exim, whatever...)

So you setup crontab variable "MAILTO=user@mydomain.com" or
"MAILTO=localuser".

In every case (being a local or remote user), the mail should follow the
configured path, that is, it will arrive to the MTA you have installed in
the host (say Postix, Exim or any other facility).

Once the e-mail arrives into the MTA, it will be delivered to the e-mail
address you have defined, and you don't need to do anything.

> One person reckons port 25 has to be open for smtp to send - is that so?
> I don't think so, I thought smtp would open some high numbered port
> temporarily.

In fact, in my *desktop* computer, I've got that port open:

***
sm01@stt008:~$ netstat -an | grep 25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
***

And I am not running here any mail server: it's just the default desktop
installation, running Exim.

So, yes, the MTA is listening in that port and I cannot find any
objection (security issue) to that. No one can send an e-mail from my
Exim unless it's inside my own computer :-)

> Or does smtp pick up the emails to be sent via port 25?

I think so.

> It just bugs me from a security point of view that the whole world can
> see port 25 open when they look at that machine and some might take it
> into their heads to aim their spam canons at it.

That is quite hard to happen. Only if your own host gets cracked by
someone in first place but in no way your computer can be reached by
"telnetting" remotely through port 25.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

I have set up postfix to listen as below using:

inet_interfaces = 10.20.30.40

adam@ecocore:~$ netstat -an |grep -i "listen "
tcp 0 0 10.20.30.40:25 0.0.0.0:* LISTEN ***

I am not allowed to open it on 127.0.0.1 due to my vserver hosting rules.

The point is that I don't want to have port 25 open to the world, since I don't
want to receive any emails on this system, I just want to send.


I can't find a way to get postfix to shut that port.

I also don't want to use nullmailer or other smtp-relayers.

As stated above:

It just bugs me from a security point of view that the whole world can
see port 25 open when they look at that machine and some might take it
into their heads to aim their spam canons at it.


Admittedly they can't do much except flood my inbox for the two users on the
system, but I don't want to give anyone the chance to try anything.


Hopefully this explains my situation unambiguously.

BTW it's postfix v2.5

Regards
Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

On Thu, 21 Jan 2010 14:45:25 +0000, Adam Hardy wrote:

> I have set up postfix to listen as below using:
>
> inet_interfaces = 10.20.30.40
>
> adam@ecocore:~$ netstat -an |grep -i "listen " tcp 0 0
> 10.20.30.40:25 0.0.0.0:* LISTEN ***
>
> I am not allowed to open it on 127.0.0.1 due to my vserver hosting
> rules.
>
> The point is that I don't want to have port 25 open to the world, since
> I don't want to receive any emails on this system, I just want to send.

Unless you have a external IP address assigned (dedicated or shared) and
your provider is redirecting incoming smtp traffic to your local address
where you have configured the MTA server, there is no way that someone
can establish a remote connection with your mail server host as it's
using a local (non routable) ip address.

Sorry but I fail to see your concern :-?

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

Camaleón on 21/01/10 15:44, wrote:

On Thu, 21 Jan 2010 14:45:25 +0000, Adam Hardy wrote:


I have set up postfix to listen as below using:

inet_interfaces = 10.20.30.40

adam@ecocore:~$ netstat -an |grep -i "listen "

>> tcp 0 0 10.20.30.40:25 0.0.0.0:* LISTEN ***


I am not allowed to open it on 127.0.0.1 due to my vserver hosting
rules.

The point is that I don't want to have port 25 open to the world, since
I don't want to receive any emails on this system, I just want to send.


Unless you have a external IP address assigned (dedicated or shared) and
your provider is redirecting incoming smtp traffic to your local address
where you have configured the MTA server, there is no way that someone
can establish a remote connection with your mail server host as it's
using a local (non routable) ip address.


But I do have an external IP address assigned (e.g. 10.20.30.40, although it's
different outside the confines of this mailing list discussion) and my hosting
provider does NAT the incoming SMTP traffic to it (as standard for their
firewall) and so yes it is totally routable.


I just did a little test to send messages from thunderbird on my PC here and it
connects and will deliver, if I address the mail to one of the user accounts on
the system.


All I'm saying is that I don't need this, and I'd like to find a way to shut it
down whilst leaving the outbound mail delivery intact.




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

On Qui, 21 Jan 2010, Adam Hardy wrote:
All I'm saying is that I don't need this, and I'd like to find a way
to shut it down whilst leaving the outbound mail delivery intact.


Since you've eliminated listening on the loopback interface only or
using a simple relayer like nullmailer, how about a firewall that
drops all incoming connections to port 25?



--
No anchovies unless otherwise specified.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

On Thu, 21 Jan 2010 16:04:00 +0000, Adam Hardy wrote:

> Camaleón on 21/01/10 15:44, wrote:

>>> The point is that I don't want to have port 25 open to the world,
>>> since I don't want to receive any emails on this system, I just want
>>> to send.
>>
>> Unless you have a external IP address assigned (dedicated or shared)
>> and your provider is redirecting incoming smtp traffic to your local
>> address where you have configured the MTA server, there is no way that
>> someone can establish a remote connection with your mail server host as
>> it's using a local (non routable) ip address.
>
> But I do have an external IP address assigned (e.g. 10.20.30.40,
> although it's different outside the confines of this mailing list
> discussion) and my hosting provider does NAT the incoming SMTP traffic
> to it (as standard for their firewall) and so yes it is totally
> routable.

Then ask your provider to close that port because you don't need it and
it's dangerous to have such port opened.

> I just did a little test to send messages from thunderbird on my PC here
> and it connects and will deliver, if I address the mail to one of the
> user accounts on the system.

That is the standard setup for Postfix. But that does not mean your host
is an acting as an "open relay". Anyway, you can also tweak that
behaviour.

> All I'm saying is that I don't need this, and I'd like to find a way to
> shut it down whilst leaving the outbound mail delivery intact.

http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from

Try with one of these values:

mynetworks_style = host

or

mynetworks = 127.0.0.0/8

And remember to restart the Postfix service after editing "/etc/postfix/
main.cf" so changes are applied.

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

Eduardo M KALINOWSKI on 21/01/10 16:12, wrote:

On Qui, 21 Jan 2010, Adam Hardy wrote:
All I'm saying is that I don't need this, and I'd like to find a way
to shut it down whilst leaving the outbound mail delivery intact.


Since you've eliminated listening on the loopback interface only or
using a simple relayer like nullmailer, how about a firewall that drops
all incoming connections to port 25?


Sure, would be nice. But it would be nicer still if I could get postfix to
disable this at the start rather than set up postfix and then set up something
else to disable half of it..... if that makes sense.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

Camaleón on 21/01/10 16:27, wrote:

The point is that I don't want to have port 25 open to the world,
since I don't want to receive any emails on this system, I just want
to send.

[snipped]
That is the standard setup for Postfix. But that does not mean your host
is an acting as an "open relay". Anyway, you can also tweak that
behaviour.


All I'm saying is that I don't need this, and I'd like to find a way to
shut it down whilst leaving the outbound mail delivery intact.


mynetworks_style = host

or


mynetworks = 127.0.0.0/8


I am using mynetworks_style already but it doesn't stop SMTP listening on port 25.

I guess this is just a relatively new situation coming with the advent of
vservers that just isn't possible.


I have set smtp_client_restrictions = reject so at least postfix responds to
external SMTP requests with an aggressive sounding "Client host rejected: access
denied" message.




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

On Thu, 21 Jan 2010 17:36:41 +0000, Adam Hardy wrote:

> Camaleón on 21/01/10 16:27, wrote:

>>> All I'm saying is that I don't need this, and I'd like to find a way
>>> to shut it down whilst leaving the outbound mail delivery intact.
>>
>> mynetworks_style = host
>>
>> or
>>
>> mynetworks = 127.0.0.0/8
>
> I am using mynetworks_style already but it doesn't stop SMTP listening
> on port 25.

By setting that value you are not disallowing Postfix to listen to port
25. A mail server has to listen at least in "loopback:25" so it can
receive and process e-mails internally, coming from the host itself.

By setting that value what you are preventing is that "another computer"
can send any e-mails to/through your Postfix mailserver. If any of these
values are set, they will be rejected.

> I guess this is just a relatively new situation coming with the advent
> of vservers that just isn't possible.
>
> I have set smtp_client_restrictions = reject so at least postfix
> responds to external SMTP requests with an aggressive sounding "Client
> host rejected: access denied" message.

That is another approach. You can harden Postfix as much as you want.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

trying to restrict postfix use of port
 

Camaleón on 21/01/10 20:04, wrote:
A mail server has to listen at least in "loopback:25" so it can
receive and process e-mails internally, coming from the host itself.


Aha. Now we get to the crux of the matter.

Is it a feature of SMTP itself, that it cannot send an email without port 25
because it has to receive the email it is going to send first, even if only
locally as in my case, but nevertheless on port 25?






--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org