Disable sending mails via telnet

[Leslie León Sinclair]

Can anyone point me in the right direction, I´m stucked here and Google
is not helping...

Best regards.


Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

[Jose Ildefonso Camargo Tolosa]

2012/1/10 Leslie León Sinclair <les...@electrica.cujae.edu.cu>:

> Can anyone point me in the right direction, I´m stucked here and Google
> is not helping...

define "telnet" here, do you mean: direct connection to port 25? or an
*actual* telnet session (port 23).

Ildefonso.

[Dennis Carr]

On Tue, 10 Jan 2012, Leslie León Sinclair wrote:

> Can anyone point me in the right direction, I´m stucked here and Google
> is not helping...

If you mean the act of disabling the ability of using a telnet client to
connect to port 25, you're best not doing this - or, just set any session
timeouts to something short to prevent manual interaction.

If you mean disabling the ability to send email while logged in using
telnet then your best bet is to disable telnet and use ssh instead.

-Dennis

[Rod Dorman]

On Tuesday, January 10, 2012, 16:45:25, Leslie León Sinclair wrote:
> Can anyone point me in the right direction, I´m stucked here and Google
> is not helping...

TELNET the Protocol or a telnet client?

--
ro...@polylogics.com "The avalanche has already started, it is too
Rod Dorman late for the pebbles to vote." - Ambassador Kosh

[Jeroen Geilman]

On 01/10/2012 10:45 PM, Leslie León Sinclair wrote:
> Can anyone point me in the right direction, I´m stucked here and Google
> is not helping...
>

> Best regards.
>
>
> Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
> Habana, Cuba: http://www.congresouniversidad.cu
> Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

Welcome to the postfix-users mailing list.

Upon subscribing, you should have received a message explaining how to
ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail

--
J.

[Reindl Harald]

nice, but do you really think this page is matching
for every question people have?

[Jeroen Geilman]

I did not say that.

At the very least, it indicates that questions should contain as much
information as you can provide.

The OP did not contain a lot to go on.

--
J.

[Jerry]

On Wed, 11 Jan 2012 01:10:56 +0100
Reindl Harald articulated:

> > Upon subscribing, you should have received a message explaining how
> > to ask for help, to wit:
> > http://www.postfix.org/DEBUG_README.html#mail
>
> nice, but do you really think this page is matching
> for every question people have?

It is the prescribed method to use by the author of Postfix; therefore,
it would seem like a logical place to start. In any case, following the
directions posted there would certainly not make solving the problem
any harder, especially considering if you knew exactly what the problem
was, the cause not the effect, you would not be asking the question to
begin with. Just my 2¢.

--
Jerry ✌
postfi...@seibercom.net
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

[Reindl Harald]

Am 11.01.2012 01:26, schrieb Jeroen Geilman:
> On 01/11/2012 01:10 AM, Reindl Harald wrote:
>>
>> Am 11.01.2012 00:53, schrieb Jeroen Geilman:
>>> On 01/10/2012 10:45 PM, Leslie León Sinclair wrote:
>>>> Can anyone point me in the right direction, I´m stucked here and Google
>>>> is not helping...
>>>>
>>>> Best regards.
>>>>
>>>>
>>>> Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
>>>> Habana, Cuba: http://www.congresouniversidad.cu
>>>> Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
>>> Welcome to the postfix-users mailing list.
>>>

>>> Upon subscribing, you should have received a message explaining how to ask for help, to wit:
>>> http://www.postfix.org/DEBUG_README.html#mail
>> nice, but do you really think this page is matching
>> for every question people have?
>>

> I did not say that.
>
> At the very least, it indicates that questions should contain as
> much information as you can provide

> The OP did not contain a lot to go on

for "disable sending mails via telnet" you will not find anything on the
DEBUG-README and finally the OP has proved enough information to
say:

* he do not understand how smtp works
* telnet does nothing other than any client

so NO you can not disable sending mails with telnet except
force using TLS

[Reindl Harald]

Am 11.01.2012 02:51, schrieb Jose Ildefonso Camargo Tolosa:
>> for "disable sending mails via telnet" you will not find anything on the
>> DEBUG-README and finally the OP has proved enough information to
>> say:
>>
>> * he do not understand how smtp works
>> * telnet does nothing other than any client
>>
>> so NO you can not disable sending mails with telnet except
>> force using TLS
>

> TLS?... I would say: authentication (although TLS is good while using
> auth). Even with TLS, if you are an open relay, you are an open relay
> (also, forcing TLS will likely avoid you getting mails from some sites
> that doesn't support TLS for smtp).

who speaks about an open relay?
i answered how to prevent using a telnet client for smtp
forcing the server only allow encrypted communication
will stop "telnet youserver 25" and typing a mail

i did never say that this makes sense
but it is the answer to the question of this thread

> But, here we are assuming "telnet to port 25", what if he/she means
> "remote session", that'd be another issue.

so what do you do after "telnet to port 25" if the server
does not allow send unencypted messages -> exactly: nothing

problem of the OP solved
that he can no longer act as MX properly is another story

[Peter]

On 11/01/12 14:57, Reindl Harald wrote:
> problem of the OP solved
> that he can no longer act as MX properly is another story

...and the fact that openssh s_client gets around that block makes your
answer completely useless, even though it may be "technically correct".

The correct answer is that you cannot block telnet access to port 25
without also blocking incoming emails from other MTAs, and so you should
not try.


Peter

[Reindl Harald]

and you did notice my first reply?
did you?

[Ralf Hildebrandt]

* Reindl Harald <h.re...@thelounge.net>:

> so NO you can not disable sending mails with telnet except
> force using TLS

And even then one could use s_client or sslwrap/ssltunnel

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hil...@charite.de | http://www.charite.de

[Leslie León Sinclair]

I´m testing a server, so I need to unable people[users], to connect via
telnet[smtp.mydomain.com:25] to the mail server.

> 2012/1/10 Leslie León Sinclair <les...@electrica.cujae.edu.cu>:

> > Can anyone point me in the right direction, I´m stucked here and Google
> > is not helping...
>

> define "telnet" here, do you mean: direct connection to port 25? or an
> *actual* telnet session (port 23).
>
> Ildefonso.
>
>
> >

[Leslie León Sinclair]

Telnet the protocol in port 25...

> On Tuesday, January 10, 2012, 16:45:25, Leslie León Sinclair wrote:

> > Can anyone point me in the right direction, I´m stucked here and Google
> > is not helping...
>

> TELNET the Protocol or a telnet client?
>

[Leslie León Sinclair]

Sorry my mistake, I´m punishing myself right now, by the way I asked
here in the list, but I was tired dealing with this problem. Reading
yesterday´s mail now... I feel like a barbarian...

It´s not gonna happen again, or at least, I will try.

Good day to all...

>
> Welcome to the postfix-users mailing list.
>
> Upon subscribing, you should have received a message explaining how to
> ask for help, to wit: http://www.postfix.org/DEBUG_README.html#mail
>

[Wietse Venema]

Leslie Le?n Sinclair:
> I?m testing a server, so I need to unable people[users], to connect via

> telnet[smtp.mydomain.com:25] to the mail server.

So it is OK if they connect to your server with netcat, "openssl
s_client", any script written in Perl, Python, PHP, Javascript,
with a real email client, with a botnet zombie, and so on?

Wietse

[/dev/rob0]

[ top-posting fixed, please do not do that here ]

On Wednesday 11 January 2012 07:23:46 Leslie León Sinclair wrote:
> > On Tuesday, January 10, 2012, 16:45:25, Leslie León Sinclair
> > wrote:
> > > Can anyone point me in the right direction, I´m stucked here
> > > and Google is not helping...
> >
> > TELNET the Protocol or a telnet client?
>
> Telnet the protocol in port 25...

Google is not helping because apparently you do not know what you are
asking, nor have you yet understood the other posts in this thread.

People can use telnet(1), the application, as a simple TCP text
client. That application can connect directly to a SMTP server. If the
user knows how to speak SMTP, the user can send mail.

Postfix does not implement a telnetd(8) server. That would be an
example of "telnet the protocol".

There is NO difference between a person using telnet(1) to speak SMTP
or using any other mail client to speak SMTP. (Again, offer void where
taxed or prohibited, or if the person does not understand SMTP
adequately.) TCP is TCP.

What you are asking is not possible. Perhaps you should consider why
you think this goal is desirable or important. It is generally far
harder to manually speak SMTP to a server than it is to configure a
mail client. I use Kmail or mutt(1), myself.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

[Leslie León Sinclair]

First:
I apology bellow about my yesterday´s behavior.

My issue:
I have a postfix[Debian] server, and it´s working nice, but I need to block
people to send mails via telnet[telnet mydomain.com 25], everything is working
nice and shiny, error/warning logs are empty, dovecot logging normal, no error
so far, but still the issue.

Now:
I will do a VM with the same config and will test, on other machine, to see some
changes in SASL and stuff related and later I post my results with main.cf included.
Until then, please do not replys to my mails, I´ll be out for a while...

Best regards...

> Sorry my mistake, I´m punishing myself right now, by the way I asked
> here in the list, but I was tired dealing with this problem. Reading
> yesterday´s mail now... I feel like a barbarian...
>
> It´s not gonna happen again, or at least, I will try.
>
> Good day to all...
>

[Rod Dorman]

On Wednesday, January 11, 2012, 08:58:40, James Day wrote:
> Just an idea, feel free to correct me. Is there some way within
> Postfix to implement a timeout on the SMTP conversation?

there are numerous mumble_timeout parameters.

> Obviously a user typing HELO, MAIL FROM, RCPT TO etc.... will be a
> lot slower than a conversation between two computers.
>
> Of course this could break something else, like I said, just an idea.

The suggested (i.e. SHOULD) SMTP timeouts are given in minutes. No human
typing the commands is going to have any difficulty.

[Dennis Carr]

On Wed, 11 Jan 2012, Rod Dorman wrote:

> The suggested (i.e. SHOULD) SMTP timeouts are given in minutes. No human
> typing the commands is going to have any difficulty.

Never underestimate the power (or lack thereof) of a hunt-and-pecker
unfamiliar with coputers tasked with doing this. =)

-Dennis

[Dennis Carr]

On Wed, 11 Jan 2012, Leslie León Sinclair wrote:

> I´m testing a server, so I need to unable people[users], to connect via

> telnet[smtp.mydomain.com:25] to the mail server.

If you're testing it, your best bet is to either a) bring it up as long as
you need to test it, and then shut it down when you don't (ONLY for the
purpose of testing), or b) set configuration to only allow mail from
localhost - so this way, a user on the machine the server resides on
could, in theory, type 'telnet localhost 25', but this assumes that the
telnet client is installed thereon

Keep in mind, though, that there are people who keep the telnet client on
machines that you don't have control of - and in my case, I keep it around
to debug occasionally. You won't have control fo those machines, and
direct telnet into a SMTP server is really not a security hole.

-Dennis

[Bill Cole]

On 10 Jan 2012, at 16:56, Dennis Carr wrote:

> On Tue, 10 Jan 2012, Leslie León Sinclair wrote:
>
>> Can anyone point me in the right direction, I´m stucked here and
>> Google
>> is not helping...
>

> If you mean the act of disabling the ability of using a telnet client
> to connect to port 25, you're best not doing this - or, just set any
> session timeouts to something short to prevent manual interaction.

I hope that is simply an offhand random thought and not something you've
actually done.

Reducing timeouts to the point where they would seriously interfere with
people doing manual SMTP will almost certainly mean failing to comply
with the SMTP standard and would carry a real risk of blocking
legitimate mail. While it is true that most SMTP transport happens as
fast as the sender can get 2xx responses, it does not always work that
way. Also: when you diverge from the standard for no compelling reason
you will find sympathy with any interop problems to be in short supply.

--
Bill Cole

[Wietse Venema]

Bill Cole:

By default, Postfix plays time limit games only under overload conditions.

The timeout settings are:

smtpd_per_record_deadline Overload: yes Normal: no
smtpd_starttls_timeout Overload: 10s Normal: 300s
smtpd_timeout Overload: 10s Normal: 300s

The per-record deadline feature (Postfix >= 2.9) changes timeout
behavior from "time limit per read operation" to "time limit per
command", meaning the entire command must be received within the
deadline.

Wietse

[Leslie León Sinclair]

Problem solved.

Using smtpd_sender_login_maps and pcre with domain checking against
logged user...

Thanks for the help.
Regards to all...