Postfix Configuration Question
Results 1 to 9 of 9

Thread: Postfix Configuration Question

  1. #1
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018

    Postfix Configuration Question

    I have a mobile phone GPRS connection and I want to securely use my home mail server to send mail.

    I can use IMAP without a problem to read mail (username & password) but it's smtp I'm worried about.

    When using the phone the IP assigned is always constant (for the purposes of this discsussion lets say its 192.168.1.2)and it seems to be the same address that everyone who uses the same phone service provider gets.

    Now I could add the address 192.168.1.2 to my $mynetworks, but this would mean that I am technically an open relay for anyone who uses the same phone service as I do.

    I can't use passworded smtp access, because my phone doesn't support it. I could make it more secure by checking the 'from' address and ensuring that it matches my.domain

    Because I often use disposable mail addresses outgoing through that server (eg Temp_12345@not.my.domain) I only want to match the from address to my.domain when the sending IP address is 192.168.1.2

    I've looked at postfix configuration till I've gone bugeyed & I can't see a way to do this.

    Does anyone know how to do this, or does anyone else have a better idea for securing the mail server, but still allowing my phone access?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  2. #2
    Member
    Join Date
    Dec 2003
    Posts
    43
    Investigate "pop before smtp" for postfix. I am pretty sure that you can set that up to work, even if you are connecting to your mail with imap instead of pop.

    I have not done it personally, but I quite sure that postfix will do it.

  3. #3
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Thank you for that idea.

    For those iterested - This article here :
    http://www.stahl.bau.tu-bs.de/~hilde...-smtp_en.shtml

    I intend to use this http://popbsmtp.sourceforge.net/

    It provides the level of security I am looking for, better than the idea I had.

    It will need the default time between IMAP/SMTP lowering from 1800 seconds since that is too big a time window.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  4. #4
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Bugger - I still need some more ideas.

    My stupid phone does SMTP _before_ IMAP!!

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  5. #5
    Member
    Join Date
    Dec 2003
    Posts
    43
    LOL, sorry I have no more ideas 8(

    What if you check your mail via imap, assuming your phone has check for new mail button, and then send it, does that still not work?

    If your timeout is even as low as 30 seconds, checking mail, then sending a message should be allowed to relay?

    Am I missing something?

  6. #6
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    The phone has a 'send & receive' button & it does it in that order and also has a 'send now' after writing an email.

    I'm thinking about other solutions.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  7. #7
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    It seems this thread has been moved - My apologies if this has not been security related enough.

    Okay, for anyone interested This solution is relevant not just for the use of phones in this way, but also for remote users dialing in through ISP connections, but with fixed hardware - EG A company worker using a company laptop.

    The issue : - How can I prevent my SMTP server from becoming an open realy, while still allowing 'authorised' users from untrusted IP addresses within a known netmask (dial in to a specified isp) to send mail through my server.

    There are a number of options offering various degrees of protection.

    SMTP Authorisation by key or password - This is not available on all devices.
    POP/IMAP before SMTP - It may not be possible to configure all devices to manage their connections in that order.
    Secify that the MAIL FROM domain must match a pattern - This is easily circumvented.
    Use MAC address matching to ensure that the device sending the mail is known - This is what I have done to resolve my problem (above) It is done like this (RH9 default install, but applicable to any other users of iptables)

    firstly
    su - to gain access. Then dump the current iptables to a file
    iptables-save>/etc/sysconfig/iptables

    Then edit /etc/sysconfig/iptables to add the appropriate filtering:
    Code:
    # Allow the company users access
    # Fred's Laptop MAC Address aa:bb:cc:dd:ee:ff - Dial into OurISP
    -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
    # Steve's Phone MAC Address 00:11:22:33:44:55
    -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
    
    # Prevent other users of OurISP from using this as an open relay - OurISP Dial UP Netmask 192.168.0.0/16
    -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 25 -j DROP
    # Prevent other users of Steve's phone service provider from any access - Gateway IP 10.0.0.10
    -A INPUT 10.0.0.1 -j DROP
    Load this configuration into iptables:
    iptables-reload</etc/sysconfig/iptables

    A PM/Email telling me where the thread had moved to would have been nice.

    Steve

    edit:

    Forgot to mention - add 10.0.0.1, 192.168.0.0/16 into mynetworks in the /etc/postfix/main.cf
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  8. #8
    Member
    Join Date
    Dec 2003
    Posts
    43
    cool solution,

    Thanks for the update.

  9. #9
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    This advice is rubbish - Ignore - See this thread fro reasons why:

    http://www.antionline.com/showthread...049#post740397



    Originally posted here by steve.milner
    It seems this thread has been moved - My apologies if this has not been security related enough.

    Okay, for anyone interested This solution is relevant not just for the use of phones in this way, but also for remote users dialing in through ISP connections, but with fixed hardware - EG A company worker using a company laptop.

    The issue : - How can I prevent my SMTP server from becoming an open realy, while still allowing 'authorised' users from untrusted IP addresses within a known netmask (dial in to a specified isp) to send mail through my server.

    There are a number of options offering various degrees of protection.

    SMTP Authorisation by key or password - This is not available on all devices.
    POP/IMAP before SMTP - It may not be possible to configure all devices to manage their connections in that order.
    Secify that the MAIL FROM domain must match a pattern - This is easily circumvented.
    Use MAC address matching to ensure that the device sending the mail is known - This is what I have done to resolve my problem (above) It is done like this (RH9 default install, but applicable to any other users of iptables)

    firstly
    su - to gain access. Then dump the current iptables to a file
    iptables-save>/etc/sysconfig/iptables

    Then edit /etc/sysconfig/iptables to add the appropriate filtering:
    Code:
    # Allow the company users access
    # Fred's Laptop MAC Address aa:bb:cc:dd:ee:ff - Dial into OurISP
    -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
    # Steve's Phone MAC Address 00:11:22:33:44:55
    -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
    
    # Prevent other users of OurISP from using this as an open relay - OurISP Dial UP Netmask 192.168.0.0/16
    -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 25 -j DROP
    # Prevent other users of Steve's phone service provider from any access - Gateway IP 10.0.0.10
    -A INPUT 10.0.0.1 -j DROP
    Load this configuration into iptables:
    iptables-reload</etc/sysconfig/iptables

    A PM/Email telling me where the thread had moved to would have been nice.

    Steve

    edit:

    Forgot to mention - add 10.0.0.1, 192.168.0.0/16 into mynetworks in the /etc/postfix/main.cf
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •