Prev: return smtp result based on lookup
Next: certificate error
From: Dennis Carr on 7 Jan 2010 03:49
I'm running postfix 2.5.5-1.1 (Debian Stable) on my desktop, which I
use to deliver mail to the internet via my server. Under optimal
circumstances, I'd just have an IP address assigned to the box that's
on the public network, but I'm on a single dynamic IP assigned by
Comcast that may or may not change at the drop of a hat.

Currently, the method of delivery to my server is by way of an ssh
tunnel to my server (deliver on localhost 2525 to get to the server),
but the problem lies herein of security - if I do this, I tend to get
rooted.

So here's the question: is there either...

1) A better way to do this, using already existing mechanisms in
Postfix, or...

2) a way to tell Postfix to turn on the ssh tunnel for the period
required to deliver mail on delivery to the daemon, and then flush the
queue, at which point the tunnel is closed?

-Dennis Carr

From: Deives Michellis on 7 Jan 2010 10:17

Olhando de esguelha pra ver se nao estava sendo observado, Dennis Carr <dennisthetiger(a)chez-vrolet.net> rabiscou em Thu, 07/01/2010, 06:49h:
> Currently, the method of delivery to my server is by way of an ssh
> tunnel to my server (deliver on localhost 2525 to get to the server),
> but the problem lies herein of security - if I do this, I tend to get
> rooted.
>
> 1) A better way to do this, using already existing mechanisms in
> Postfix, or...

the proper/elegant way to handle this is thru email submission.

Setup another smtpd instance in master.cf for mail submission (port 587 is reserved for that) and allow mail only when using TLS and SASL auth.

If you need further assistance in setting up that, let me know and I will gladly help you.


Deives

---

BOFH excuse #62 - The cause of the problem is: need to wrap system in aluminum foil to fix problem

From: mouss on 7 Jan 2010 17:07
Dennis Carr a �crit :
> I'm running postfix 2.5.5-1.1 (Debian Stable) on my desktop, which I
> use to deliver mail to the internet via my server. Under optimal
> circumstances, I'd just have an IP address assigned to the box that's
> on the public network, but I'm on a single dynamic IP assigned by
> Comcast that may or may not change at the drop of a hat.
>
> Currently, the method of delivery to my server is by way of an ssh
> tunnel to my server (deliver on localhost 2525 to get to the server),
> but the problem lies herein of security - if I do this, I tend to get
> rooted.
>
> So here's the question: is there either...
>
> 1) A better way to do this, using already existing mechanisms in
> Postfix, or...
>
> 2) a way to tell Postfix to turn on the ssh tunnel for the period
> required to deliver mail on delivery to the daemon, and then flush the
> queue, at which point the tunnel is closed?
>


you can still use ssh with a dedicated account and with "forced" commands.

if you want to use postfix-only, then STARTTLS and either SASL or client
certificate should do. ideally on a port other than 25 (587 is the
standard submission port).

From: Stan Hoeppner on 8 Jan 2010 00:42

On Thu, 7 Jan 2010 00:49:23 -0800, Dennis Carr
<dennisthetiger(a)chez-vrolet.net> wrote:

> 1) A better way to do this, using already existing mechanisms in
> Postfix, or...

Myabe have a look at this and tweak your server as necessary:

http://www.hardwarefreak.com/postfix-adsl-relay-config.txt

--
Stan

 | 
Pages: 1
Prev: return smtp result based on lookup
Next: certificate error