Univention Bugzilla – Bug 39021
AUTH on port 25 should not be allowed
Last modified: 2015-11-17 12:12:42 CET
Created attachment 7049 [details] 60_tls.patch Port 25 should not a valid submission port for authenticated user. Port 465 and better port 587 is the submission port for an authenticated user. In template main.cf.d/60_tls is "smtpd_sasl_auth_enable = yes" hardcoded. Therefore all ports/services of postfix (also port 25) provide a SASL AUTH. The postfix default is "smtpd_sasl_auth_enable = no" (see http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable). This provide no AUTH until it is configured. With #38049 new UCRV are implemented to set options in master.cf. The standard is: "mail/postfix/mastercf/options/smtps/smtpd_sasl_auth_enable=yes". Therefore it is not necessary to activate smtpd_sasl_auth_enable global in main.cf. And with this settings, no AUTH is provide on port 25. Patch is attached.
The patch also activates "noplaintext". Is this tested on a UCS system? I don't think that SASL/LDAP holds the required password hashes. Nevertheless I think splitting incoming mails to different ports depending on their target (relaying vs. delivering) is a good idea but should not switch permanently before UCS 4.1. Alternatively it becomes configurable via UCR in an erratum and the current default is kept.
With commit 63369 authentication (and thus submitting) has been disabled by default on all ports. UCRVs (created in earlier bug) enable authentication by default on SMTPS (465) and Submission (587): mail/postfix/mastercf/options/smtps/smtpd_sasl_auth_enable=yes mail/postfix/mastercf/options/submission/smtpd_sasl_auth_enable=yes To reenabled authentication on SMTP (port 25) using TLS set UCR variable mail/postfix/mastercf/options/smtp/smtpd_sasl_auth_enable=yes
(In reply to Daniel Tröder from comment #2) > To reenabled authentication on SMTP (port 25) using TLS set UCR variable > mail/postfix/mastercf/options/smtp/smtpd_sasl_auth_enable=yes Added ucs-test script: r65033 | Bug #39021: added 20_check_postfix_auth_per_port OK: code change OK: functional test OK: added ucs-test script REOPEN: entry in changelog-4.1-0.xml is missing REOPEN: we should update the manual accordingly and give the admin/user some hints, which ports should be used for mail delivery
65073: backport 20_check_postfix_auth_per_port to 4.0-3 65074+65077: 4.1 changelog entry 65087+65090: add manual entry on SMTP ports and fix ports in pictures
(In reply to Daniel Tröder from comment #4) > 65073: backport 20_check_postfix_auth_per_port to 4.0-3 > 65074+65077: 4.1 changelog entry > 65087+65090: add manual entry on SMTP ports and fix ports in pictures → OK r65241 | Bug #39021: small changes for mail-*.xml → VERIFIED
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".