running smtp and submission port

[jake]

Hi Folks,

I just want to verify I have a safe configuration. Everything is working for me good.


My sendmail.mc file:
--------------------------------
include(`/etc/mail/tls/starttls.m4')dnl
FEATURE(`no_default_msa')dnl
define(`confAUTH_OPTIONS', `y')dnl
TRUST_AUTH_MECH(`PLAIN DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS', `PLAIN DIGEST-MD5 CRAM-MD5')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')dnl #watch port 587 for my submissions outgoing from TB
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl #watch port 25 for incoming email from internet

I have STARTTLS and PLAIN password working on 587. I am confident that i am the only one who can send email on port 587.

However, port 25 I am not so sure. i only want to receive emails for local delivery to my server. (mydomain.com) I have sasl and dovecot setup to service the Thunderbird client. The MX record for my domian naturally sends traffic to port 25. I do not want to relay or send anyones SPAM from port 25 but i need to read my own incoming email from port 25. Any advice how to harden this or am i safe already?

thank you so much for the help,
--jake

[Claus Aßmann]

jake wrote:

> TRUST_AUTH_MECH(`PLAIN DIGEST-MD5 CRAM-MD5')dnl

> DAEMON_OPTIONS(`Port=smtp, Name=MTA')

> I have STARTTLS and PLAIN password working on 587.
> I am confident that i am the only one
> who can send email on port 587.

Provided your auth password doesn't get hacked.
If you only use PLAIN, you should remove the other machs.

> However, port 25 I am not so sure.

Turn off AUTH on port 25 as you don't use it. Relaying is denied
by default but a successful authentication would allow it.


--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

[Knute Johnson]

On 1/19/23 05:40, Claus Aßmann wrote:
>
> Turn off AUTH on port 25 as you don't use it. Relaying is denied
> by default but a successful authentication would allow it.
>

I know how to require AUTH but not how to deny AUTH on port 25?

Thanks,

knute...

[Claus Aßmann]

Knute Johnson wrote:

> I know how to require AUTH but not how to deny AUTH on port 25?

See the fine documentation op.*

DaemonPortOptions=options

Modifier can be a sequence (without any
delimiters) of the following characters:

a always require AUTH
..
A disable AUTH (overrides 'a' modifier)

[Knute Johnson]

On 1/19/23 12:15, Claus Aßmann wrote:
> Knute Johnson wrote:
>
>> I know how to require AUTH but not how to deny AUTH on port 25?
>
> See the fine documentation op.*
>
> DaemonPortOptions=options
>
> Modifier can be a sequence (without any
> delimiters) of the following characters:
>
> a always require AUTH
> ..
> A disable AUTH (overrides 'a' modifier)
>
>

Yes it is in the doc. I've got your book too and it is right there on
page 996. I've looked at it a lot and just didn't see it.

Works like a charm.

Thanks Claus!

[Claus Aßmann]

Knute Johnson wrote:

> Yes it is in the doc. I've got your book too and it is right there on

It's not "my" book. Brian wrote it.

> page 996. I've looked at it a lot and just didn't see it.

That's why a searchable text document is better :-)
vi op.txt
/AUTH
n ... until you find what you wanted.

[Marco]

Am 19.01.2023 schrieb Claus Aßmann:

> Knute Johnson wrote:
>
> > Yes it is in the doc. I've got your book too and it is right there
> > on
>
> It's not "my" book. Brian wrote it.

But you are also mentioned on the first page. :-)

> > page 996. I've looked at it a lot and just didn't see it.
>
> That's why a searchable text document is better :-)

The book (sendmail 4th edition) is available as a PDF for buying, but
some anonymous Russian FTP server have it too - intentionally public or
not - I don't know.