Results 1 to 5 of 5

Thread: 14.04 SMTP Relay with authentication

  1. #1
    Join Date
    Aug 2014
    Beans
    3

    14.04 SMTP Relay with authentication

    Hello,
    I'm trying to set up a simple SMTP relay on 14.04 LTS. I've found hundreds of tutorials with using postfix, dovecot, etc. and have had little success because most are explaining setting up mail servers, not a simple relay.
    Here is my situation... I am setting up the SMTP Relay server in an Amazon VPC. I need the server to relay email messages from SQL and other machines that we don't want to give any external access to.
    The SMTP Relay will relay emails from these VPC servers to Amazon's SES service.

    I have it working to send emails from a server within the VPC to my relay server on port 587 using postfix (with no user authentication) and it sends it to SES.
    What I can't figure out is how do I create a user that is used by the servers sending emails to authenticate with?
    Any time I remove the "permit_mynetwoks" value from "smtpd_relay_restrictions" then I get an error message with "Relay Access Denied". I understand that my user authentication is not working correctly (or at all), I just haven't found a place that actually explains how it's done.

    Here is what I currently have in my /etc/postfix/main.cf file:

    Code:
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    
    append_dot_mydomain = no
    
    
    readme_directory = no
    
    
    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtpd_use_tls=yes
    smtp_use_tls = yes
    smtp_tls_security_level = encrypt
    
    
    smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
    #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    myhostname = ip-10-0-25-99.ec2.internal
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = MYSITE.com
    #the 10.0.0.0/16 below is what allows the permit_mynetworks to work in the relay_restrictions
    mynetworks = 10.0.0.0/16 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    
    
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    
    
    mydestination = ip-10-0-25-99.ec2.internal, localhost.ec2.internal, localhost
    relayhost = email-smtp.us-east-1.amazonaws.com:587
    This is what's in my /ect/postfix/master.cf (or at least what I think is relevant). This enabled port 587, I commented out the "smtp inet n - - - - smtpd" entry:
    Code:
    submission inet n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING


    This is the message in /var/log/mail.log
    Code:
    Aug 20 15:02:04 ip-10-0-25-99 postfix/smtpd[1652]: lost connection after RCPT from ip-10-0-150-99.ec2.internal[10.0.150.99]
    Aug 20 15:02:04 ip-10-0-25-99 postfix/smtpd[1652]: disconnect from ip-10-0-150-99.ec2.internal[10.0.150.99]
    Aug 20 15:02:07 ip-10-0-25-99 postfix/smtpd[1652]: connect from ip-10-0-150-99.ec2.internal[10.0.150.99]
    Aug 20 15:02:07 ip-10-0-25-99 postfix/smtpd[1652]: NOQUEUE: reject: RCPT from ip-10-0-150-99.ec2.internal[10.0.150.99]: 554 5.7.1 <USER@COMPANY.com>: Relay access denied; from=<do-not-reply@COMPANY.com> to=<USER@COMPANY.com> proto=ESMTP helo=<SENDING-SERVER>
    This is from /var/log/auth.log
    Code:
    Aug 20 19:38:22 ip-10-0-25-99 saslauthd[1186]: PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory
    Aug 20 19:38:22 ip-10-0-25-99 saslauthd[1186]: PAM adding faulty module: pam_mysql.so
    Aug 20 19:38:22 ip-10-0-25-99 saslauthd[1186]: DEBUG: auth_pam: pam_authenticate failed: Module is unknown
    Aug 20 19:38:22 ip-10-0-25-99 saslauthd[1186]: do_auth         : auth failure: [user=**USER_FROM_SENDING_SERVER**] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    Any help would be appreciated. I'm guessing that it's an issue with the authorization but I just can't find enough information to point me in the right direction. Or if there's a simplier way to accomplish this I'm open to anything.

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,033
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: 14.04 SMTP Relay with authentication

    mynetworks = 10.0.0.0/16 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    It looks like only machines in the 10.0.0.0/16 subnet can see the server. (Is that the right mask, by the way? It covers the range 10.0.0.0 to 10.0.255.255. Just thought I'd make sure you want that and not, for instance, 10/8.) Since it's a private network, I don't know why you would need authentication. If you want to make it more restrictive, limit access in the server's iptables ruleset to just those machines allowed to forward mail:
    Code:
    iptables -A INPUT -p tcp -s 10.0.1.2 -d 10.0.99.99 --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp -d 10.0.99.99 --dport 25 -j REJECT
    Now only 10.0.1.2 can send packets to port 25 on 10.0.99.99. You can, of course, use 587 or whatever port Postfix is listening on.
    Last edited by SeijiSensei; August 20th, 2014 at 09:58 PM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Aug 2014
    Beans
    3

    Re: 14.04 SMTP Relay with authentication

    Yes, the subnet mask is correct. We would still like to have the additional authentication for an additional security measure, just to make sure that we limit what machine and application can send through the relay.
    We'd rather not limit it to specific IP addresses within the private network so we don't have to make changes on the relay each time we want to allow a new machine to use it.

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,033
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: 14.04 SMTP Relay with authentication

    What threat are you protecting against in this context? Somebody else on the private network relaying mail through the server? Is that a likely possibility? Again it seems like you are making this harder than it needs to be.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Aug 2014
    Beans
    3

    Re: 14.04 SMTP Relay with authentication

    We want to make sure we limit what applications can send mail through the relay. We only want it used for system type messages like DB Backup failures, etc. We want to make sure our customer applications only send mail through another server we have setup so those emails get logged for audits, but the customer application servers themselves still need to be able to send through this relay for server status issues. We would just like to create a single user ID/PW that we can use to authenticate sending through this relay so when we set up a new machine that needs to send we don't have to modify the relay configs.
    Yes, probably more paranoid than we might need to be but I'd rather have more security than needed rather than the other way around. This way it prevents user error from accidentally sending through the wrong server.

    If this can't be done easily through Ubuntu I guess we might have to go back to using our Windows server setup which we already have working as needed. I would prefer not to do that though since Linux instances are much cheaper in Amazon and this could run with a smaller instance size.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •