# Postfix SASL TLS



## NeHe (May 14, 2014)

I am not sure if my brain is just not working or if what I'm trying to do can not be done.

Is there any way to accomplish the following:

Employees in the office:  SASL/TLS not required (but users should be able to authenticate if they wish using ports 25, 465 or 587).
Employees outside the office: SASL and TLS should be required.  They should be able to connect using the three ports mentioned above (no need to force them onto 587).
Server to server should have the option to use TLS.

I have this partially working:

SASL is working with sasldb. I had to comment out

```
smtpd_sasl_security_options = noanonymous
```
to allow users to send mail without having to authenticate with the SMTP server. (This would normally be a bad thing, but in my configuration I only allow our network to send, so relaying is not happening.)

I tried the following for outside staff: I  removed permit_sasl_authenticated from smtpd_recipient_restrictions and enabled submission in master.cf*.* This should only permit authenticated users from sending mail because of the line

```
-o smtpd_recipient_restrictions = permit_sasl_authenticated
```
reject under "submission". But what I'm noticing is that all my other checks in main.cf under smtpd_recipient_restrictions are being called first, so if a user is blacklisted it fails (usually with the message relaying not allowed)?

If I add

```
smtpd_recipient_restrictions = permit_sasl_authenticated
```
back to main.cf as long as the user authenticates the message will go.

Is there any way to accomplish the above type of setup?

*T*his is what I have now:

main.cf

```
smtpd_sasl_auth_enable          = yes
broken_sasl_auth_clients        = yes
#smtpd_sasl_security_options     = noanonymous
smtpd_sasl_local_domain         = proxy.domain.local
smtpd_sasl_authenticated_header = yes

smtpd_tls_key_file              = /usr/local/etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file             = /usr/local/etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile                = /usr/local/etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel              = 1
smtpd_tls_received_header       = yes
smtpd_tls_security_level        = may
smtp_tls_security_level         = may
smtp_tls_note_starttls_offer    = yes

plus:  smtpd_recipient_restrictions = permit_sasl_authenticated (along with additional options - rbl, etc)
```

master.cf

```
smtp      inet  n       -       n       -       -       smtpd
smtpd     pass  -       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
```


----------



## obsigna (May 14, 2014)

NeHe said:
			
		

> ...
> Employees in the office:  SASL/TLS not required (but users should be able to authenticate if they wish using ports 25, 465 or 587).
> Employees outside the office: SASL and TLS should be required.  They should be able to connect using the three ports mentioned above (no need to force them onto 587).
> Server to server should have the option to use TLS.



Regading SASL, you could achieve this on the server-side with the following lines in /usr/local/etc/postfix/main.cf:

```
smtpd_relay_restrictions = permit_mynetworks,
                           permit_sasl_authenticated,
                           reject_unauth_destination
```

Provided that the Postfix setting mynetworks contains said internal network, this setting would allow internal clients to connect without authentication, however they may connect using authentication. Everybody else, i.e. external clients, must authenticate, or the connection would be rejected, except for mails to mydestination.

Regarding TLS, the Postfix setting smtpd_tls_security_level = may is AFAIK the only way to be flexible for internal clients and external MTAs, and as well it provides the TLS facility for external clients. I would then enforce the use of TLS in the settings of the MUAs of the external client computers.


----------



## NeHe (May 15, 2014)

Obsigna,

Appreciate the very quick response and had some time to play around with the settings tonight.  I understand what the 3 lines mentioned in your post do, but I'm not sure if it made any difference to my existing setup.  I already have office staff able to authenticate or not log in at all for smtp.  I have permit my networks and sasl authentication checks.

The problem I'm running into right now is that outside staff (although force to authenticate via sasl) and not forced to use TLS.  I know you say enforce it in their client, but what I'd love for them to do and what they will actually do (after talking with them on the phone) are two different things.  I don't want their passwords sent as plain text (used to get around this by having them VPN in first).  I don't want them to have the option to send mail to port 25 unauthenticated.  But at the same time I don't want office staff to have to authenticate.

I want it so that if staff is out of the country or just outside the building, their mail WILL go as long as they are authenticated (sasl) and TLS is hiding their pass.  So basically I want them to be able to use either port 25, 465 or 587 but only have the ability to send mail if they authenticate and everything is using TLS.  I would prefer an error if they select plain text password or don't use TLS.

But at the same time I don't want the office staff (on the same lan) to have to do anything other than log into imap to get mail.  When sending mail, as long as the smtp server is correct I want the mail to go.  But I do want the office staff to have the ability to use 465 or 587 if it make them feel safer.

Right now outside staff can select no authentication and even thought their mail will get blocked because they are not on the lan, it will still try to send out (indefinitely).

Hope all of this makes sense.  I feel a little overwhelmed.  I thought the process would be very straight forward, and I'm sure it would be if I disabled anon, did check for sasl auth, force tls and made sure all client machines were set up correct, but I don't want to the users to have to log into the smtp server to send mail and from what I've read forcing encrypt is not suggested.

I do have the security level set to may (and for server to server this is perfect), but allowing the users to send their pass across the net where they could get sniffed isn't perfect.

blocking anon would be great but then every client would have to be set up to send auth...


----------



## obsigna (May 15, 2014)

NeHe (first post) said:
			
		

> Employees in the office:  SASL/TLS not required (but users should be able to authenticate if they wish using ports 25, 465 or 587).
> Employees outside the office: SASL and TLS should be required.  They should be able to connect using the three ports mentioned above (no need to force them onto 587).
> Server to server should have the option to use TLS.





			
				NeHe (second post) said:
			
		

> ... Hope all of this makes sense. ...


Yes, to me your requirements are very clear.



			
				NeHe (second post) said:
			
		

> ... I feel a little overwhelmed. I thought the process would be very straight forward, and I'm sure it would be if I disabled anon, ...


Yeah, with that remark you almost touched the problem. More exactly, you got a logical contradiction between your requirements 2 and 3. In the connection stage your mail server on port 25 does not see any difference between one of your external users connecting by the way of his/her e-mail client or any mail server connecting and passing e-mails to your domain. Since postfix has no way to distinguish between these cases, you need to impose a differentiation on the external clients.

You wrote "... (no need to force them onto 587) ...", however, would it be that bad, if your external clients need to connect via 587? If you could place that restriction on your external clients, then you easily could enforce TLS for them:

In file /usr/local/etc/main.cf place:

```
...
smtpd_sender_restrictions = permit_mynetworks,
                            check_sender_access hash:/usr/local/etc/postfix/external_client_rejections

smtpd_relay_restrictions  = permit_mynetworks,
                            permit_sasl_authenticated,
                            reject_unauth_destination
...
```

In file /usr/local/etc/master.cf put:

```
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_sender_restrictions=
   -o smtpd_tls_security_level=encrypt
...
```

Create the access table /usr/local/etc/postfix/external_client_rejections and postmap(1) it:

```
ext-user1@example.com    reject
ext-user2@example.com    reject
ext-user3@example.com    reject
     :         : 
ext-userN@example.com    reject
```


----------



## NeHe (May 15, 2014)

A very smart solution my friend, and it just might work! I will give this a test later today. You hit the nail on the head when you brought up the fact that there is no easy way to distinguish inside from outside. I'm still surprised by this. I had a net provider many years ago that had a setup very much like the one I am trying to achieve. You could quickly log in on any device and set up mail with just a username/pass for POP3/IMAP. However if you were on a network that was not their own you had to authenticate with their SMTP server in order to send mail. I wish I knew how they accomplished this  Once again, thank you for the advice!


----------



## obsigna (May 15, 2014)

NeHe said:
			
		

> ...However if you were on a network that was not their own you had to authenticate with their SMTP server in order to send mail. I wish I knew how they accomplished this



This is for sure a setting similar to the postfix setting:

```
smtpd_relay_restrictions  = permit_mynetworks, ...
```

Naturally, mynetworks of an ISP are quite a bit broader than mynetworks of a company.


----------

