I'm still installing Gentoo along side an existing redhat 6.2
installation, as an eventual replacement when it's working. I have so
far managed to boot from the live cd, get my ADSL modem working the hard
way (roaring penguin doesn't work), emerge the basic system, and compile
a kernel.

The machine is a squid/masqerading gateway for a lan of 25 machines, and
hosts its own mail (using sendmail) for the users, including laptop
users who need on-the-road access.

I'd like to change from sendmail to a new MTA now which is more secure,
and supports the following easily :

1. SMTP authentication. So the laptop users can still send mail through
this server. (On my redhat system I used pop-before-smtp by a dodgy
"DynamicRelay" perl script).

2. Ability to save a backup copy of every mail passed through (both sent
by my users, and received by my users). (On my redhat system I do this
via a source code patch to sendmail, coupled with a D{LogAll} directive
in sendmail.cf).

3. Ability to set up MTA to listen on the normal port 25, but also
listen on another port 1025. This is because some ISPs that the laptop
users log in on block outgoing connections to port 25. I set them up to
use 1025 to send mail. Everyone else uses standard port 25. On my
redhat system, I did that by adding a "..... /usr/sbin/sendmail -bs" in
inetd.conf on port 1025.

I'd appreciate any pointers to which MTA provides these things in the
easiest way to configure.

I've seen imformation on how to do SMTP auth on some MTAs, but I can't
find out how to save a copy of all mails. I imagine an input filter
would work on some MTAs, but I'm not sure.....

Thanks,

Chris

In article <40a04532$0$16587$5a62ac22
@freenews.iinet.net.au>, severn@iinet.net.au says...
> I'm still installing Gentoo along side an existing redhat 6.2
> installation, as an eventual replacement when it's working. I have so
> far managed to boot from the live cd, get my ADSL modem working the hard
> way (roaring penguin doesn't work), emerge the basic system, and compile
> a kernel.
>
> The machine is a squid/masqerading gateway for a lan of 25 machines, and
> hosts its own mail (using sendmail) for the users, including laptop
> users who need on-the-road access.
>

Postfix is what we use for about 30 users.

> I'd like to change from sendmail to a new MTA now which is more secure,
> and supports the following easily :
>
> 1. SMTP authentication. So the laptop users can still send mail through
> this server. (On my redhat system I used pop-before-smtp by a dodgy
> "DynamicRelay" perl script).
>

Postfix + SASL (see chapter 12 in "Postfix, The
Definitive Guide").

However, your laptop users should be using TLS
(basically SSL encryption) at a minimum if they are
connecting to the machine from the outside. So as to
not send their userids/passwords via plain-text across
the wire. TLS is covered in chapter 13.

Alternately, you can have your laptop users use SSH to
tunnel into the network.

> 2. Ability to save a backup copy of every mail passed through (both sent
> by my users, and received by my users). (On my redhat system I do this
> via a source code patch to sendmail, coupled with a D{LogAll} directive
> in sendmail.cf).
>

http://www.postfix.org/postconf.5.html

Parameter name is: always_bcc

Make sure you're open and honest about the fact that
this system logs all inbound/outbound e-mail... I'm not
100% sure what the legal climate is regarding archving
of mail, or whether it's merely setting up lawyer bait.

> 3. Ability to set up MTA to listen on the normal port 25, but also
> listen on another port 1025. This is because some ISPs that the laptop
> users log in on block outgoing connections to port 25. I set them up to
> use 1025 to send mail. Everyone else uses standard port 25. On my
> redhat system, I did that by adding a "..... /usr/sbin/sendmail -bs" in
> inetd.conf on port 1025.
>

I believe you change this in master.cf (not 100% sure).
The TLS port is typically something other then port 25 I
think tcp/465 is the default, some folks use 587, others
use port #s above 1024 (GeekMail used 2525, IIRC). One
message that I saw indicated that there is no fixed port
for SMTP+TLS.

Unfortunately, you're beyond what I've had a chance to
muck with in Postfix (I wasn't the one who set it up...
and I'm still learning how to maintain it).

> I'd appreciate any pointers to which MTA provides these things in the
> easiest way to configure.
>
> I've seen imformation on how to do SMTP auth on some MTAs, but I can't
> find out how to save a copy of all mails. I imagine an input filter
> would work on some MTAs, but I'm not sure.....
>

Wuphon's Reach wrote:
> In article <40a04532$0$16587$5a62ac22
> @freenews.iinet.net.au>, severn@iinet.net.au says...
>
>>I'm still installing Gentoo along side an existing redhat 6.2
>>installation, as an eventual replacement when it's working. I have so
>>far managed to boot from the live cd, get my ADSL modem working the hard
>>way (roaring penguin doesn't work), emerge the basic system, and compile
>>a kernel.
>>
>>The machine is a squid/masqerading gateway for a lan of 25 machines, and
>>hosts its own mail (using sendmail) for the users, including laptop
>>users who need on-the-road access.
>
> Postfix is what we use for about 30 users.

I was leaning towards postfix, so that's good to hear.

>>I'd like to change from sendmail to a new MTA now which is more secure,
>>and supports the following easily :
>>
>>1. SMTP authentication. So the laptop users can still send mail through
>>this server. (On my redhat system I used pop-before-smtp by a dodgy
>>"DynamicRelay" perl script).
>>
>
> Postfix + SASL (see chapter 12 in "Postfix, The
> Definitive Guide").
>
> However, your laptop users should be using TLS
> (basically SSL encryption) at a minimum if they are
> connecting to the machine from the outside. So as to
> not send their userids/passwords via plain-text across
> the wire. TLS is covered in chapter 13.

I've presently got POP-3 encryption supported using SSL-proxy on my old
system. I had tried to also have encrypted SMTP supported, but the
clients didn't work for some reason. I would prefer to have a different
SMTP password for authorisation, and have it not be the same as the
POP-3 passwords, whether or not I get the encryption working.

> Alternately, you can have your laptop users use SSH to
> tunnel into the network.

Actually, I plan on implementing a VPN (Probably ipsec) eventually, so
that all the laptop users will be using that for mail, and file access.
The SMTP auth, and other encryptions are for use until I get that running.

>>2. Ability to save a backup copy of every mail passed through (both sent
>>by my users, and received by my users). (On my redhat system I do this
>>via a source code patch to sendmail, coupled with a D{LogAll} directive
>>in sendmail.cf).
>
> http://www.postfix.org/postconf.5.html
>
> Parameter name is: always_bcc

Excellent. Thanks for that. Just what I was after. I imagine that if I
don't want to create a real user to receive all that mail, that I can
just specify an alias which dumps to a file ?

> Make sure you're open and honest about the fact that
> this system logs all inbound/outbound e-mail... I'm not
> 100% sure what the legal climate is regarding archving
> of mail, or whether it's merely setting up lawyer bait.

Yep, everyone already knows the mail is logged. People often come to me
to ask me to resurrect a message they sent or received but accidently
deleted. They're only logged for 7 days anyway. I originally
implemented it as a check for viruses. People would get these reports
saying "you sent a virus". I wanted to be able to go back and check
their sent mail to confirm it didn't happen.

>>3. Ability to set up MTA to listen on the normal port 25, but also
>>listen on another port 1025. This is because some ISPs that the laptop
>>users log in on block outgoing connections to port 25. I set them up to
>>use 1025 to send mail. Everyone else uses standard port 25. On my
>>redhat system, I did that by adding a "..... /usr/sbin/sendmail -bs" in
>>inetd.conf on port 1025.
>>
>
> I believe you change this in master.cf (not 100% sure).
> The TLS port is typically something other then port 25 I
> think tcp/465 is the default, some folks use 587, others
> use port #s above 1024 (GeekMail used 2525, IIRC). One
> message that I saw indicated that there is no fixed port
> for SMTP+TLS.

OK, I'll check that out. I'm presently not using encryption on the SMTP
because I couldn't get it working. I've just added a non-encrypted port
other than port 25. But, if I can get an encrypted port working, then
that's fine.

> Unfortunately, you're beyond what I've had a chance to
> muck with in Postfix (I wasn't the one who set it up...
> and I'm still learning how to maintain it).

Thanks for your help,

Chris

On 2004-05-12, Chris Severn <severn@iinet.net.au> wrote:
> Wuphon's Reach wrote:
>>>3. Ability to set up MTA to listen on the normal port 25, but also
>>>listen on another port 1025. This is because some ISPs that the laptop
>>>users log in on block outgoing connections to port 25. I set them up to
>>>use 1025 to send mail. Everyone else uses standard port 25. On my
>>>redhat system, I did that by adding a "..... /usr/sbin/sendmail -bs" in
>>>inetd.conf on port 1025.
>>>
>>
>> I believe you change this in master.cf (not 100% sure).
>> The TLS port is typically something other then port 25 I
>> think tcp/465 is the default, some folks use 587, others
>> use port #s above 1024 (GeekMail used 2525, IIRC). One
>> message that I saw indicated that there is no fixed port
>> for SMTP+TLS.


This is easier to fix with iptables at the router/fw.

Assuming the ip of your mailserver is 192.168.128.1

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1025 \
-j DNAT --to-destination 192.168.128.1:25



/klacke


--
Claes Wikstrom -- Caps lock is nowhere and
http://www.hyber.org -- everything is under control

Claes Wikstrom wrote:
> On 2004-05-12, Chris Severn <severn@iinet.net.au> wrote:
>
>>Wuphon's Reach wrote:
>>
>>>>3. Ability to set up MTA to listen on the normal port 25, but also
>>>>listen on another port 1025. This is because some ISPs that the laptop
>>>>users log in on block outgoing connections to port 25. I set them up to
>>>>use 1025 to send mail. Everyone else uses standard port 25. On my
>>>>redhat system, I did that by adding a "..... /usr/sbin/sendmail -bs" in
>>>>inetd.conf on port 1025.
>>>>
>>>
>>>I believe you change this in master.cf (not 100% sure).
>>>The TLS port is typically something other then port 25 I
>>>think tcp/465 is the default, some folks use 587, others
>>>use port #s above 1024 (GeekMail used 2525, IIRC). One
>>>message that I saw indicated that there is no fixed port
>>>for SMTP+TLS.
>
> This is easier to fix with iptables at the router/fw.
>
> Assuming the ip of your mailserver is 192.168.128.1
>
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1025 \
> -j DNAT --to-destination 192.168.128.1:25

You're assuming I've got a firewall independant of the mailserver ?

What if they're on the same box ?

I can't just redirect the port from 1025 to 25 locally, or postfix will
assume the connection came from localhost, and will allow it to send
whatever mail it wants without anti-spam measures.

I need postfix to have the same security on relaying when it's being
used on port 1025 as it does when it's being used on port 25.

Chris

On 2004-05-14, Chris Severn <severn@iinet.net.au> wrote:
> Claes Wikstrom wrote:
>> On 2004-05-12, Chris Severn <severn@iinet.net.au> wrote:
>> This is easier to fix with iptables at the router/fw.
>>
>> Assuming the ip of your mailserver is 192.168.128.1
>>
>> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1025 \
>> -j DNAT --to-destination 192.168.128.1:25
>
> You're assuming I've got a firewall independant of the mailserver ?
>
> What if they're on the same box ?
>
> I can't just redirect the port from 1025 to 25 locally, or postfix will
> assume the connection came from localhost, and will allow it to send
> whatever mail it wants without anti-spam measures.
>


Not correct, the REDIR will not change the source IP. As a matter of fact,
when I run this scheme, I do run the REDIR on the same machine as the MTA.
The MTA will not notice anything out of the ordinary, it will be precicely
as if the sending MTA (or client) connected to port 25.

> I need postfix to have the same security on relaying when it's being
> used on port 1025 as it does when it's being used on port 25.
>


Absolutely, and using REDIR doesn't change that.


/klacke


--
Claes Wikstrom -- Caps lock is nowhere and
http://www.hyber.org -- everything is under control