Deutsch| English
  #1  
Alt 22.07.2009, 23:19
Neuer Benutzer
  
Registriert seit: 22.07.2009
Beiträge: 1
Frage Sicherer Postfix Server??
Hallo HowtoForge User,

erstmal danke für die vielen Howto's und das gute Forum, wo man sehr viel findet was einem weiterhilft.

So Postfix läuft , das ist das gute! Folgendes Setup verwende ich:
Postfix, Dovecot, ClamSMTP steht hinter einer Firewall, die IP wird über Dyndns aufgelöst.

main.cf
--------------------------------------------------------------------------
inet_interfaces = all
inet_protocols = ipv4

smtpd_banner = $myhostname ESMTP $mail_name (Debian)
biff = no

append_dot_mydomain = no
delay_warning_time = 4h

myhostname = pinguin.super.de
mydomain = super.de
mydestination = $myhostname, $mydomain
mynetworks = 127.0.0.0/8

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

virtual_maps = hash:/etc/postfix/virtual/maps
virtual_alias_domains = test.de

mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
home_mailbox = .Maildir/
recipient_delimiter = +
relayhost =

# TLS parameters

# Postfix act as Client (Part)
smtp_sasl_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Postfix act as Server (User Authentification, TLS)
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
broken_sasl_auth_clients = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

tls_random_source = dev:/dev/urandom

content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
------------------------------------------------------------------------

master.cf
------------------------------------------------------------------------
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
-o content_filter=spamassassin
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes

127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_chec ks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,rej ect
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
------------------------------------------------------------------------

Wo liegen evtl. schwächen? Ist sichergestellt das nur authentifizierte User eMails verschicken können? Ich habe mal was ausprobiert und mit geloggt und mit Wireshark mal mit getracet:

------------------------------------------------------------------------
mit:
smtpd_use_tls = no
smtpd_tls_auth_only = no

Part of /var/log/mail.log
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250-AUTH=PLAIN LOGIN
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250-ENHANCEDSTATUSCODES
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250-8BITMIME
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250 DSN
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: < unknown[192.168.24.38]: AUTH PLAIN AGFjYW5qZQBqdW5pYmFlcg==
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response AGFjYW5qZQBqdW5pYmFlcg==

Kommentar: gesehen (AGFjYW5qZQBqdW5pYmFlcg==) im Wireshark!!!!!!!!

Jul 22 22:38:16 pinguin postfix/smtpd[4219]: xsasl_cyrus_server_first: decoded initial response
Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 235 2.7.0 Authentication successful


mit:
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

Part of /var/log/mail.log
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 220 mail.pinguin.canje.zoo ESMTP Postfix (Debian)
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: < unknown[192.168.24.38]: EHLO [192.168.24.38]
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-mail.pinguin.canje.zoo
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-PIPELINING
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-SIZE 10240000
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-VRFY
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-ETRN
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: match_list_match: unknown: no match
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: match_list_match: 192.168.24.38: no match
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-STARTTLS
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-ENHANCEDSTATUSCODES
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-8BITMIME
Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250 DSN
------------------------------------------------------------------------
Was haltet Ihr von dem Setup? Folgendes soll erreicht werden:
User können eMails verschicken (intern im Netzwerk) und sie sollen von z.B. GMX Nachrichten geschickt bekommen. Also User@gmx.de schickt User@test.de eine eMail

Ich bin mal auf eure Feedback gespannt.

Mit freundlichen Grüßen

evilgenius
Geändert von evilgenius (23.07.2009 um 07:05 Uhr).
Mit Zitat antworten
Antwort

« Vorheriges Thema | Nächstes Thema »

Themen-Optionen
Ansicht
Linear-Darstellung Linear-Darstellung

Forumregeln
Es ist Ihnen nicht erlaubt, neue Themen zu verfassen.
Es ist Ihnen nicht erlaubt, auf Beiträge zu antworten.
Es ist Ihnen nicht erlaubt, Anhänge hochzuladen.
Es ist Ihnen nicht erlaubt, Ihre Beiträge zu bearbeiten.
BB-Code ist an.
Smileys sind an.
[IMG] Code ist an.
HTML-Code ist aus.
Trackbacks are an
Pingbacks are an
Refbacks are an


Alle Zeitangaben in WEZ +2. Es ist jetzt 22:19 Uhr.

Kontakt - HowtoForge.de - Archiv - Nach oben

Powered by vBulletin® Version 3.8.1 (Deutsch)
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.6.0