I use Nethserver as a mailserver only. There are some users with Inboxes on it, but I want to use Nethserver as a SMTP server for my DMZ servers too. Now, I’ve configured a trusted network that’s my DMZ: 192.168.0.0/255.255.255.0
Then, as stated in http://docs.nethserver.org/en/latest/mail.html#special-smtp-access-policies , I ran:
After this I’m able to use ANY client from private ranges to use Nethserver on port 25 without authentication! So, any client on LAN / VLANs and DMZ can now use Nethserver that way. I think I’m configuring something wrong or forgetting something, but I can’t figure it out with de documentation only.
Can anyone explain the ‘trusted networks’ section in more detail to me? What should I do to allow access for only some specific hosts (or specific network) to port 25 without authentication?
However, there are some devices (printers, scanners, …) that do not support SMTP authentication, encryption or port settings. They can be enabled to send messages by looking at their IP address in Postfix access table…
OK, thanks. So I have one interface LAN(green) where all traffic is passed to/from. My router does 1:1 NAT for the nethserver (external) IP.
If that one interface is green, how does nethserver distinguishe between a green and a red connection? (They all come in/out the same interface)
I don’t understand why I can’t enter a single IP/32 into trusted networks and whitelist it. I’m trying to understand the behaviour of trusted networks and why any client can use port 25 without auth on my server now. -> indeed I don’t want my entire DMZ trusted.
Another question. How do I reverse the command …setprop postfix trustednetworks… ?
And removed all trusted networks from the Nethserver frontend, but my whole DMZ (192.168.0.0/24) may still use port 25 without authentication. How is that possible?
ps: I’ve noticed the DMZ servers use the private IP (192.168.0.xx) from Nethserver and not the external DNS IP. When using the external IP address, Nethserver gives me a " relay access denied". When using the internal DMZ IP, Nethserver accepts an unauthenticated port 25 connection.
Nethserver is just a simple DMZ host with one interface in use. I use it as mailserver only. There is indeed no way to go from DMZ to LAN (must go through psSense firewall).
Not on Nethserver. This all (DMZ hosts mailing through Nethserver without auth) takes place on the same network 192.168.0.0/24, so there’s no router/firewall involved.
[root@nethserver ~]# config getprop postfix access
public
Thank you for clarifying it again. I missed that point
I don’t know if completely deleting the AccessPolicies prop could create problems. I’d try to set it to the default empty string value and signal again the event.
I am still able to send mail with any DMZ host. This unfortunately didn’t solve the problem.
I’m wondering if there’s any process that I might restart to reload the settings. Just to be sure there’s not a process hanging on it’s config or something? Have restarted postfix, but that didn’t help. Any other processes?
RESULT2: All DMZ hosts can still use Nethserver on port 25 without auth. This result IS NOT to be expected as I’ve removed Trusted Networks from the equation.
I’ve used the following SSMTP config in Debian on the other DMZ hosts (/etc/ssmtp/ssmtp.conf):
root=root@nethserverdomain.com
mailhub=192.168.0.10:25 #Internal Nethserver IP
rewriteDomain=nethserverdomain.com
hostname=dmzhost.localdomain.com
FromLineOverride=YES
I really have no idea where to proceed from here. My (new) goal is to allow DMZ hosts access WITH authentication, but now there is a security hole in the mailserver which I want to solve first.