Home / server / Questions / 389037
Accepted
mossymaker
Asked: 2012-05-15 14:06:59 +0800 CST

Disable SMTP AUTH on Port 25

  • 772

Due to PCI-DSS, we are required to disable plaintext authentication. We've achieved this by encapsulating communications between our mail server and clients with TLS on port 465.

The problem lies in that port 25 must remain open and unencrypted for us to receive email from the internet, but should not allow authentication.

I've tried disabling the AUTH command, but that breaks authentication on port 465, too.

Is there a mail server or proxy that will allow separate configuration for port 25 and 465, such that authentication is only available over a secure channel?

Also noteworthy: we are using MailEnable with stunnel in FIPS mode.

Update:

MailEnable supplied a patched SMTP executable that allowed me to configure via Windows' registry whether authorization is offered on each listening port. This solved my problem—hopefully, they will publish the patch as a hotfix.

smtp pci-dss tls

4 Answers

  1. Best Answer

    Yes, postfix is perfectly capable of this.

    Take a look at the Postfix HOWTO:

    http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

    and particularly:

    http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

    (those two pages are linked from the fairly extensive official Postfix docs page http://www.postfix.org/docs.html)

    For my server, the configuration in master.cf looks like:

    # ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

    And main.cf has a line like:

    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

    In this case, authentication is only turned on for the submission (587) and SMTPS (465) ports.

    • 7

  2. It seems that the Postfix’s option smtpd_tls_auth_only = yes is exactly what you search. It allows to use SMTP AUTH only when TLS is activated, which is only relevant on port 25 for your configuration.

    http://www.postfix.org/SASL_README.html#id396969
    http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

    • 3

  3. You can also do the following to only advertize tls on certain ports with exim4.

    tls_advertise_hosts = 192.168.40.5:${if eq {$interface_port}{587} {*}{}}

    So only clients connecting from 192.168.40.5 and clients connecting through port 587 would be offered tls. As long as your auth setting are setup to require tls before advertise, only clients using port 587 with TLS would be able to use auth.

    • 1

  4. Exim lets you set:

    server_advertise_condition = ${if def:tls_cipher}

    on an authentication driver, so it's only advertised/available within TLS.

    Exim is very frequently used as a frontend gateway between MS mail servers and the open Internet; LDAP integration letting you query AD for address verification, authentication, etc; decent integration into various malware detectors, etc.

    • 0