1 Topic by NoOneYouKnow

  • NoOneYouKnow
  • Member
  • Offline
  • Registered: 2018-06-14
  • Posts: 5

Topic: Opening up an internal mail server - Port 25 No authentication

======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7 (core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
So... I'm struggling with an issue trying to get Port 25 to work from a bunch of different servers. Here's the layout.

This is an internal server. It never connects to the world and the systems that connect to it never get out as well. It is strictly used as an internal notification server to relay alerts and to let the team communicate within the environment. Security is an issue but can be negotiated (read: The powers that be would like it secured but understand real world problems). All the users are local and there is no site DNS server I could use. All settings are by IP as SOP anyways. The server is self contained as a VM inside of a vCenter cluster if that matters.

The issue I'm having is that due to this being an alerting type system, I have several devices that do not have support for SSL and TLS. These are primarily switches and routers and other networking gear. They are also spread out on at least 3 subnets that I know of. What I would like to do is to whitelist the subnets so they do not require authentication (I am allowed to do a blank allowance if I needed to) and unfortunately, I kind of do need port 25 open and working. I've gone through several of the iRedMail documents on the subject and can't seem to get it to work. I have a system that I have access to that is on another subnet. That system can send mail when it's authenticated and using TLS over 587. Using this as my test though I can't get it to connect over port 25. I've reset the VM to a working state and have included sanitized master, main and settings.py files. I did do some things like adding networks into MYNETWORKS but assume I didn't do anything or nothing worked. Below is a rough IP scheme.

Mail server: 192.168.0.20
Test server: 192.168.7.20
Other networks: 192.168.1.X, 192.168.2.X

Hopefully someone can lend a hand.

Peacec

Post's attachments

etc.postfix.main.cf 11.48 kb, 2 downloads since 2018-07-03 

etc.postfix.master.cf 8.03 kb, 1 downloads since 2018-07-03 

opt.iredapd.settings.py 1.85 kb, 1 downloads since 2018-07-03 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Opening up an internal mail server - Port 25 No authentication

Try our tutorial:
https://docs.iredmail.org/enable.smtp.a … rt.25.html

3 Reply by NoOneYouKnow

  • NoOneYouKnow
  • Member
  • Offline
  • Registered: 2018-06-14
  • Posts: 5

Re: Opening up an internal mail server - Port 25 No authentication

ZhangHuangbin wrote:

Try our tutorial:
https://docs.iredmail.org/enable.smtp.a … rt.25.html

Well I tried that before but far be it from me to think I did everything right the first time so I ran through it again.

I went into /etc/postfix/main.cf (CentOS 7 VM) and uncommented the following line.

smtpd_sasl_auth_enable = yes
# smtpd_tls_auth_only = yes
# smtpd_sasl_security_options = noanonymous

Sent a posfix reload command and tried sending a test email over port 25 with no encryption and no authentication. Tailing my /var/log/maillog I am getting dnsblog timeouts for b.baracudacentral.org and zen.spamhaus.org. I uncommented the next line so it looks like this.

smtpd_sasl_auth_enable = yes
# smtpd_tls_auth_only = yes
 smtpd_sasl_security_options = noanonymous


I ran the postfix reload and tested again. Same error about DNS. The thing is, as this is an internal server I never want the spam stuff to restrict anything. It's possible to get a flood of emails from a downed system and I don't want it picked up as a DDoS or get caught in a spam filter. Is there an easy way to turn that off?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Opening up an internal mail server - Port 25 No authentication

Did you disable "postscreen" service by following the tutorial?

5 Reply by NoOneYouKnow

  • NoOneYouKnow
  • Member
  • Offline
  • Registered: 2018-06-14
  • Posts: 5

Re: Opening up an internal mail server - Port 25 No authentication

I did. I have the following commented out in /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
#smtpd_tls_auth_only = yes
smtpd_sasl_security_options = noanonymous

I don't want STARTTLS authentication at the moment (or maybe never) so I left that commented out but it fails either way.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Opening up an internal mail server - Port 25 No authentication

postscreen service should be disabled in /etc/postfix/master.cf. It's mentioned in our tutorial.

7 Reply by NoOneYouKnow

  • NoOneYouKnow
  • Member
  • Offline
  • Registered: 2018-06-14
  • Posts: 5

Re: Opening up an internal mail server - Port 25 No authentication

ZhangHuangbin wrote:

postscreen service should be disabled in /etc/postfix/master.cf. It's mentioned in our tutorial.

My apologies but I haven't had a chance to get back to this. Other fires and projects are changing my priorities. I haven't checked to see if Post Screen is disabled. This is a straight out of the box install of iRedMail. I assume I will be using this KBA (https://docs.iredmail.org/enable.postscreen.html) and following the disable postscreen section. I hope I can get to review it this week.