Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Postfix security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
keet
Guru
Guru


Joined: 09 Sep 2008
Posts: 529

PostPosted: Sat May 03, 2014 7:22 pm    Post subject: Postfix security Reply with quote

As a learning experience, I am trying to set up an email server. I followed the guide at http://wiki.gentoo.org/wiki/Postfix. I can send mail locally, but when I try to send messages to my GMail account, mail.log says something like this:

Code:
myhostname postfix/smtp[18284]: connect to gmail-smtp-in.l.google.com[74.125.29.27]:25: Connection timed out


I tried setting a relayhost in main.cf, but it still shows a similar message:

Code:
myhostname postfix/smtp[18148]: AAC9BC3925: to=<myemailaddress@gmail.com>, relay=none, delay=30, delays=0.02/0/30/0, dsn=4.4.1, status=deferred (connect to smtp.secureserver.net[72.167.238.201]:25: Connection timed out


A likely possibility, based on what I have read, is that my I.S.P. blocks port 25. I think that I read this in their documentation, as well. I trying telnetting into port 587 and sending a message, but I still got the same messages in mail.log.

Code:
main.cf:

myhostname = hostname.domain.com
mydomain = domain.com
soft_bounce = yes
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
mynetworks_style = host
recipient_delimiter = +
debug_peer_level = 2
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = no
inet_protocols = ipv4
home_mailbox = .maildir/


Code:
master.cf:

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#smtps     inet  n       -       n       -       -       smtpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache


I tried changing smtp to use port 587 using /etc/services and restarted postfix, but I got the same message, just with port 587 instead of 25. The ports are open in my firewall. At this point, I feel a bit like I'm not sure that I know what I'm doing, and would appreciate some help.


Last edited by keet on Sat May 17, 2014 8:29 pm; edited 1 time in total
Back to top
View user's profile Send private message
keet
Guru
Guru


Joined: 09 Sep 2008
Posts: 529

PostPosted: Wed May 07, 2014 1:15 am    Post subject: Reply with quote

I'm not sure why people are not replying, but maybe it's because of this post:

https://forums.gentoo.org/viewtopic-t-987908-start-0-postdays-0-postorder-asc-highlight-postfix.html

I wondering whether switching to a business account would help at all. It looks like I.S.P.s around here block 25 for residential, but only rarely and on a case-by-case basis for business accounts.
Back to top
View user's profile Send private message
keet
Guru
Guru


Joined: 09 Sep 2008
Posts: 529

PostPosted: Sat May 17, 2014 12:49 am    Post subject: Reply with quote

Ok, I made it work, sort of. I got a V.P.S. and set up Postfix, but it's in CentOS. Oh, well, at least I have a working email server. I am a bit paranoid about security, and I want to make sure that it's all encrypted whenever possible. I've tested this using Wireshark and Tcpdump, and as far as I can tell, all transmissions are encrypted, but is there any way that I could know for sure from /var/log/maillog?

Code:
dovecot: imap-login: Login: user=<notmyusername>, method=PLAIN, rip=notmyremoteaddress, lip=notmyserveraddress, mpid=4925, TLS


I'd assume that TLS means it's encrypted using T.L.S.while logging in to check my mail, even though it's PLAIN authentication, right?

Code:
setting up TLS connection to someremotemailserver[theiripaddress]:25
Untrusted TLS connection established to srms[tipa]:25: TLSv1.2 with cipher AES128-SHA256 (128/128 bits)


This means the outgoing mail transmission looks encrypted, but my mail server doesn't trust its certificate issuer?

However, one thing that I don't see is any mention of encryption when I GET messages from another domain. On the other hand, if I run

Code:
tcpdump -A -vvv -s 0 -i eth0 > test.txt
while sending a message from my GMail account to my server and then search for any trace of text from the incoming message, I don't see it. However, I do see a STARTTLS command and what looks like certificate negotiation. Thus, it looks like it's encrypted, right? Unless I'm not using tcpdump properly or it's missing something...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum