| « Neatx is the new black 2 | UPS #FAIL » |
Assp and postfix and saslauthd
What I had:
- Assp proxy in front on host fw.
- Postfix on internal server called fs, assp talking to it on port 25 (listenPort:=25,smtpDestination:=10.10.1.1:25).
- Assp server serving as plain smtp from inside and as incoming mail server, using postfix port 25 for the actual delivery.
- Assp mail interface working when using plain smtp.
- Postfix server working as smtps server with saslauth from inside, and from outside with port forwarding in iptables, both using port 465, not involving assp at all.
________
_( )_
(_ Internet _) smtp = smtps = fw
(________)
_________________
| 465 25 |
HOST fw | iptables assp |
10.10.0.254 |_________________|
| /
_____|___/_______
| 465 25 |
HOST fs | postfix |
10.10.1.1 | (saslauthd) |
|_________________|
________
_( )_ smtp=fw
(_ Internal _) smtps=fs
( net )
(______)
What I wanted: Assp mail interface and auto whitelisting also working from smtps connections, meaning these have to go through assp.
How I did it:
- I decided to let postfix / saslauth continue to do the authentication but change to port 587, the "submission port" which seems to be what one does now.
- Postfix should pass the mail sent to this port on to assp when authenticated.
- ASSP should then reinsert it into postfix port 25 for delivery - after doing what assp does, including auto whielisting and catching any assp mail interface mails.
________
_( )_
(_ Internet _) smtp = smtps = fw
(________)
___________/\____
| 587 / 25 |
HOST fw | iptables/ assp |
|________/________|
| / /
_____|/__/_______
| 587 25 | smtp=fw
HOST fs | postfix | smtps=fs
| (saslauthd) |
|_________________|
________
_( )_
(_ Internal _)
( net )
(______)
master.cf:
smtp inet n - - - - smtpd
#smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_proxy_filter=[10.10.0.254]:25 -o receive_override_options=no_unknown_recipient_checks
Does anyone know if I ought to use the content_filter instead? smtpd_proxy_filter sounded right but I an not completely sure of the difference.
Also perhaps I should bother with getting the chrooting to work. But the smtpd_proxy_filter part does what it should and the auto whitelisting and assp-spam and assp-white addresses now work from smtps connections.
Sources:
- http://www.mail-archive.com/assp-user@lists.sourceforge.net/msg13339.html Here it is suggested that I keep postfix doing what it is good at - the sasl auth - and do not start involving assp in doing tls. That is my opinion, too, since my experience with assp tells me that it will be hell to upgrade it and get the perl modules running etc. every time since assp is behaving a bit beta some of the time.
- http://www.pubbs.net/201001/postfix/2151-mastercf-integrating-postfix-with-dkim-proxy.html , http://www.mail-archive.com/postfix-users@postfix.org/msg08971.html are where I got an idea how to do it: Either the content_filter or the smtpd_proxy_filter option.
- Saslauth with postfix: https://help.ubuntu.com/community/Postfix, http://www.howtoforge.com/forums/showthread.php?t=8242, http://www.postfix.org/DEBUG_README.html#no_chroot
Referencen:
- ASSP: http://assp.sourceforge.net/
- Postfix: http://www.postfix.org/
- saslauthd: http://www.linuxcommand.org/man_pages/saslauthd8.html