Postfix to ignore authentication

[suPerb0b]

Hi guys

We have a small hotspot running over an Mweb account. As we all know, Mweb is redirecting outgoing email on port 25, which is a pain in the arse.
We have a lot of complaints from people using the hotspot that they can't send mail, so much, that I've put in a little Postfix server so they can send through that, but its starting to get ridiculous and people and becoming more and more annoyed because of it.

I've read in other posts here that its apparently quite easy to have postfix ignore authentication, but for the life of me, I cannot figure it out. I want to redirect all outgoing mail on 25 to my server and just accept anything.

Here is what I have in my config (only the relevant bit):

smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_recipient_restrictions =
    warn_if_reject,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
    check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
    check_helo_access hash:/etc/postfix/helo_checks,
    check_sender_access hash:/etc/postfix/sender_checks,
    check_client_access hash:/etc/postfix/client_checks,
    check_client_access pcre:/etc/postfix/client_checks.pcre,
    permit

What do I need to add so it will ignore/accept any authentication request ?

 

[GoofySmurf]

Hello

Please look for the following line in your main.cf and change it to no.

smtpd_sasl_auth_enable = yes

 

[GoofySmurf]

Here is some more info if required.

--------------------------------------------------------------------------------

Configuring Postfix
-------------------
The following are the new parameters in main.cf that affect SMTP
authentication in the server:

broken_sasl_auth_clients

Set this equal to yes to enable support for older clients
that expect AUTH= instead of AUTH. This will result in
Postfix giving two AUTH banners, i.e.:

250-AUTH=LOGIN PLAIN
250-AUTH LOGIN PLAIN

This is required to allow Outlook Express 4.x to
authenticate.

smtpd_sasl_auth_enable

Set this equal to yes to enable the advertisement of AUTH in
the ESMTP capabilities.

smtpd_sasl_local_domain

Set this equal to the value of the authentication realm that
the Postfix smtpd process should attempt to authenticate
sessions against. At this point, it has no effect if you are
not using sasldb. Traditionally, this is set equal to
$myhostname. There is no provision for the client to specify
the realm, and at this time, Postfix has no support for
multiple authentication domains (which could be useful for
hosting multiple virtual domains).

smtpd_sasl_security_options

If set to noplaintext, Postfix will not advertise methods
that use plaintext passwords (PLAIN and LOGIN). If set to
noanonymous, Postfix will not advertise methods that allow
anonymous authentication (ANON). If set to nodictionary,
Postfix will not advertise methods that are vulnerable to
passive (dictionary) attack. If set to noactive, Postfix
will not advertise methods that are vulnerable to active
(non-dictionary) attack.

The following is a new restriction that may be used in main.cf to
define behavior allowed to authenticated clients:

permit_sasl_authenticated

When used in smtpd_recipient_restrictions or
smtpd_client_restrictions, this grants permission to
authenticated clients. When used in smtpd_client
restrictions, smtpd_delay_reject must be set to yes. This
will disallow any non-authenticated connections.

For examples of the main.cf parameters, see the sample-auth.cf file
in your /etc/postfix directory.

For authenticated sessions, Postfix will log the username provided
by the remote host, the requested authentication method, and the
sender address. It does not log any further information (unless
the debug options in main.cf are specified and match the remote
host) and does not alter the headers of the message in any way to
indicate that AUTH was used.

 

[suPerb0b]

Thanks. I didn't have that in at all.
It looks like it works fine with my thunderbird, so lets hope it works with the clients too

 

[Tinuva]

I hope your clients won't be sending spam, or have bots on their pcs that send the spam. Your server might get blacklisted quick quick.

 

[suPerb0b]

Hehe, yup, already thought of that and installed Amavis, Clamav and Spamassassin.

 

[koffiejunkie]

To get it to work:

mynetworks = 192.168.1.0/24

Replace 192.168.1.0/24 with your local network.

BUT. This is an the wrong way to fix it. You need to either come to an agreement with Mweb to open port 25 access or get another ISP. I think it is unacceptable for a business account to have port 25 blocked.

Furthermore, there is a port specifically for submitting mail via authenticated SMTP (and nothing else): port 587 = SMTP submission. Any ISP worth their salt offers access to port 587 on their mail servers and no ISP worth your money will block it.