SMTP/25 trusted networks without auth


(jelle) #1

[copy from googlegroups mailinglist]

I use Nethserver as a mailserver only. There are some users with Inboxes on it, but I want to use Nethserver as a SMTP server for my DMZ servers too. Now, I’ve configured a trusted network that’s my DMZ: 192.168.0.0/255.255.255.0
Then, as stated in http://docs.nethserver.org/en/latest/mail.html#special-smtp-access-policies , I ran:

# config setprop postfix AccessPolicies trustednetworks
# signal-event nethserver-mail-common-save

After this I’m able to use ANY client from private ranges to use Nethserver on port 25 without authentication! So, any client on LAN / VLANs and DMZ can now use Nethserver that way. I think I’m configuring something wrong or forgetting something, but I can’t figure it out with de documentation only.

Can anyone explain the ‘trusted networks’ section in more detail to me? What should I do to allow access for only some specific hosts (or specific network) to port 25 without authentication?


(Davide Principi) #2

The pointed out manual section states also

However, there are some devices (printers, scanners, …) that do not support SMTP authentication, encryption or port settings. They can be enabled to send messages by looking at their IP address in Postfix access table…

You’re on the right track!


(Davide Principi) #3

Hosts in trusted networks can connect to “private” services as green (LAN) networks.

See also
http://docs.nethserver.org/en/latest/base_system.html#network-services-section

I would not make DMZ completely “trusted”!


(jelle) #4

OK, thanks. So I have one interface LAN(green) where all traffic is passed to/from. My router does 1:1 NAT for the nethserver (external) IP.

If that one interface is green, how does nethserver distinguishe between a green and a red connection? (They all come in/out the same interface)

I don’t understand why I can’t enter a single IP/32 into trusted networks and whitelist it. I’m trying to understand the behaviour of trusted networks and why any client can use port 25 without auth on my server now. -> indeed I don’t want my entire DMZ trusted.

Another question. How do I reverse the command …setprop postfix trustednetworks… ?

Thanks!


(Alessio Fattorini) #5

Using this command:

# config delprop postfix AccessPolicies trustednetworks
# signal-event nethserver-mail-common-save

(Davide Principi) #6

This is a Bash issue! To set a prop value to the empty string use two single (or double) quotes char

config setprop key name propname ''

The commands become

config setprop postfix AccessPolicies ''
signal-event nethserver-mail-common-save

(Davide Principi) #7

I’m not a networking expert.

I guess, from the client IP itself, if the original IP is not mangled by your router.

Anyway there’s no red zone if the server has one network interface only. If it has a red interface it works like a router…


(jelle) #8

Ok, I’ve set

# config delprop postfix AccessPolicies trustednetworks
# signal-event nethserver-mail-common-save

And removed all trusted networks from the Nethserver frontend, but my whole DMZ (192.168.0.0/24) may still use port 25 without authentication. How is that possible?

ps: I’ve noticed the DMZ servers use the private IP (192.168.0.xx) from Nethserver and not the external DNS IP. When using the external IP address, Nethserver gives me a " relay access denied". When using the internal DMZ IP, Nethserver accepts an unauthenticated port 25 connection.


(Davide Principi) #9

There should be no way to go from DMZ to LAN… Anyone as an idea? @giacomo, @filippo_carletti

Did you set up some routing rule?

Could you paste here the output of config getprop postfix access?

Also the internal IP resolution suggests the server in DMZ uses the internal DNS: why not use a public DNS?


(Filippo Carletti) #10

By default, DMZ->LAN is closed and you need a port forward to open access. This is by design, but there could be a bug.


(jelle) #11

Nethserver is just a simple DMZ host with one interface in use. I use it as mailserver only. There is indeed no way to go from DMZ to LAN (must go through psSense firewall).

Not on Nethserver. This all (DMZ hosts mailing through Nethserver without auth) takes place on the same network 192.168.0.0/24, so there’s no router/firewall involved.

[root@nethserver ~]# config getprop postfix access
public

I’ve set public DNS now.


(Davide Principi) #12

Thank you for clarifying it again. I missed that point :blush:

I don’t know if completely deleting the AccessPolicies prop could create problems. I’d try to set it to the default empty string value and signal again the event.

In my mail server postconf -n shows:

...
mynetworks_style = host
...
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/internal_access, reject_unverified_recipient
...

(jelle) #13

Right, thanks.
Mine:

[root@nethserver ~]# postconf -n | grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/access, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/internal_access, reject_unverified_recipient

Don’t know if your permit_sasl_authenticated is the culprit, but can’t imagine why.

After setting

config setprop postfix AccessPolicies ''
signal-event nethserver-mail-common-save

I am still able to send mail with any DMZ host. This unfortunately didn’t solve the problem.
I’m wondering if there’s any process that I might restart to reload the settings. Just to be sure there’s not a process hanging on it’s config or something? Have restarted postfix, but that didn’t help. Any other processes?


(jelle) #14

Right. The above still applies unfortunately.
My scenario:

  1. Install Nethserver with mailserver packages only. Use eth0 as the only interface on the system (GREEN)

  2. Add 192.168.0.0/24 as a Trusted Network in Nethserver GUI

  3. Set:

    config setprop postfix AccessPolicies trustednetworks
    signal-event nethserver-mail-common-save

RESULT1: Every DMZ (192.168.0.0/24) host can use Nethserver mail with port 25 without auth. That result is to be expected.

Now reverse the process.

  1. Remove all Trusted Networks from Nethserver GUI

  2. Set

    config setprop postfix AccessPolicies ''
    signal-event nethserver-mail-common-save

RESULT2: All DMZ hosts can still use Nethserver on port 25 without auth. This result IS NOT to be expected as I’ve removed Trusted Networks from the equation.

I’ve used the following SSMTP config in Debian on the other DMZ hosts (/etc/ssmtp/ssmtp.conf):

root=root@nethserverdomain.com
mailhub=192.168.0.10:25 #Internal Nethserver IP
rewriteDomain=nethserverdomain.com
hostname=dmzhost.localdomain.com
FromLineOverride=YES

I really have no idea where to proceed from here. My (new) goal is to allow DMZ hosts access WITH authentication, but now there is a security hole in the mailserver which I want to solve first.