I want to disable authorization by any method (SOG, Thunderbird, Outlook) for pc located outside the local network. Can anyone tell me how to do this?

@"ILGVA"#p16052 Sorry, you are asking the wrong questions. The solution was already told. Activate the firewall (best in your gateway) and block all ports which are not needed from the internet. Port 25 should be open, otherwise your Mailcow will not be able to receive emails. For the SSL cert you also need 80,443 or use an external reverse-proxy to protect the 80,443 ports of your Mailcow-Server. To be able to connect to Mailcow from your clients to Mailcow is then only in your network possible. When you need to connect to Mailcow outside your network (e.g. with your smartphone) you will need an VPN tunnel. This solution is secure and you don’t need to change anything at the Mailcow configuration. Everything what you need is already documented by the Mailcow docs. The VPN tunnel you have to google how to setup an VPN-Server (e.g. wireguard)

Well Sogo is able to authenticate via multiple channels, not sure how Mailcow is handle it. In this case I would put proxy server in front of Mailcow/Sogo and filter whole access to Sogo. in case of mail clients auths are basically done by Postix - SASL and Dovecot In case of Dovecot there is allow_nets directive to limit logins just to specific IP and/or subnets, please go trough documentation here: https://doc.dovecot.org/configuration_manual/authentication/allow_nets/ and: here https://doc.dovecot.org/configuration_manual/authentication/ For Postfix you can try directive `smtpd_sasl_exceptions_networks` documentation state that it will prevent to offer AUTH, not sure if this prevent to AUTH, you will need to test it. Docs here: https://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks Any case do some research before changes anything, mail system is not trivial to configure properly and the responsibility lies with you as the provider.

I was able to close Sogo, it was really easy. But I'm using mailcow like docker-compose and I'm not sure I understand the syntax for adding these variables. Anyway, thanks. It remains to figure out how to do this. If someone understands this, I will be glad to get help :D

Basically, Mailcow expose configuration to your base folder inside data/conf but make sure to read mailcow doc to do it right. https://docs.mailcow.email/manual-guides/Postfix/u_e-postfix-extra_cf/ https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-extra_conf/

Yes thank you. I'm already trying to use them. Something just doesn't work out :D Testing in thunderbird. If i use in data/conf/dovecot/extra.conf passdb, I can connect from anywhere, regardless of the specified ip. If i use user:{plain} or just allow_nets with local ip of my compuster, i lost connection.

Well first disable your changes, log in by thunderbird normally, check for logs there should be record of your login. Post the log here, than post what did you change here please.

Ok,ay, when I wrote "i lost connection" it is not correct. My dovecot docker container have error. If my extra.conf loks like that: allow_nets=10.56.0.0/16,local I have this error in log: Uptime: 237131 Threads: 14 Questions: 499040 Slow queries: 5 Opens: 226 Open tables: 217 Queries per second avg: 2.104 doveconf: Fatal: Error in configuration file /etc/dovecot/extra.conf line 1: Unknown setting: allow_nets If my extra.conf loks like that: passdb { driver = static args = password=test allow_nets=local,10.56.0.0/16 } I have the same problem: Uptime: 237352 Threads: 9 Questions: 499287 Slow queries: 5 Opens: 226 Open tables: 217 Queries per second avg: 2.103 doveconf: Fatal: Error in configuration file /etc/dovecot/extra.conf line 1: Unknown setting: allow_nets Uptime: 237360 Threads: 9 Questions: 499288 Slow queries: 5 Opens: 226 Open tables: 217 Queries per second avg: 2.103 If my extra.conf empty, i can login in thunderbird. Logs: May 27 09:11:50 97681bea8fe1 dovecot: imap-login: Login: user=, method=PLAIN, rip=10.56.202.97, lip=172.22.1.250, mpid=882, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 09:11:51 97681bea8fe1 dovecot: imap(user@domen.com): Disconnected: Logged out in=9 out=530 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 May 27 09:11:51 97681bea8fe1 dovecot: imap-login: Login: user=, method=PLAIN, rip=10.56.202.97, lip=172.22.1.250, mpid=887, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 09:11:51 97681bea8fe1 dovecot: imap-login: Login: user=, method=PLAIN, rip=10.56.202.97, lip=172.22.1.250, mpid=888, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)

Okay, this seems too difficult for me. If I use in devcot extra.conf this: passdb { driver = static args = password=test allow_nets={Any_ip_adress} } I have no error "Unknown setting: allow_nets". But i can login in from any network. Dovecot logs: 2024-05-27 11:09:01,507 WARN received SIGTERM indicating exit request 2024-05-27 11:09:01,508 INFO waiting for processes, dovecot, syslog-ng to die May 27 11:09:01 97681bea8fe1 syslog-ng[111]: syslog-ng shutting down; version='4.5.0' 2024-05-27 11:09:01,617 INFO stopped: syslog-ng (exit status 0) 2024-05-27 11:09:03,622 INFO stopped: dovecot (exit status 0) 2024-05-27 11:09:03,622 WARN received SIGQUIT indicating exit request 2024-05-27 11:09:03,623 WARN stopped: processes (terminated by SIGTERM) Uptime: 245095 Threads: 17 Questions: 602896 Slow queries: 5 Opens: 260 Open tables: 248 Queries per second avg: 2.459 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 264 100 264 0 0 1281 0 --:--:-- --:--:-- --:--:-- 1287 gzip: invalid magic 2024-05-27 11:09:09,083 INFO Set uid to user 0 succeeded 2024-05-27 11:09:09,089 INFO supervisord started with pid 1 2024-05-27 11:09:10,092 INFO spawned: 'processes' with pid 109 2024-05-27 11:09:10,096 INFO spawned: 'dovecot' with pid 110 2024-05-27 11:09:10,099 INFO spawned: 'syslog-ng' with pid 111 May 27 11:09:10 97681bea8fe1 syslog-ng[111]: syslog-ng starting up; version='4.5.0' May 27 11:09:10 97681bea8fe1 dovecot: master: Dovecot v2.3.21 (47349e2482) starting up for imap, sieve, lmtp, pop3 2024-05-27 11:09:11,176 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2024-05-27 11:09:11,177 INFO success: dovecot entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2024-05-27 11:09:11,177 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) May 27 11:09:22 97681bea8fe1 dovecot: lmtp(128): Connect from 172.22.1.13 May 27 11:09:22 97681bea8fe1 dovecot: lmtp(128): Disconnect from 172.22.1.13: Logged out (state=MAIL FROM) May 27 11:09:22 97681bea8fe1 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=172.22.1.13, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 11:09:22 97681bea8fe1 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=172.22.1.13, lip=172.22.1.250 May 27 11:09:22 97681bea8fe1 dovecot: managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=, rip=172.22.1.13, lip=172.22.1.250 May 27 11:09:25 97681bea8fe1 dovecot: pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=10.56.202.97, lip=172.22.1.250 May 27 11:09:25 97681bea8fe1 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=10.56.202.97, lip=172.22.1.250 May 27 11:09:25 97681bea8fe1 dovecot: pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=10.56.202.97, lip=172.22.1.250 May 27 11:09:25 97681bea8fe1 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=10.56.202.97, lip=172.22.1.250 May 27 11:09:26 97681bea8fe1 dovecot: pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=10.56.202.97, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 11:09:26 97681bea8fe1 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=10.56.202.97, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 11:09:43 97681bea8fe1 dovecot: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 14 secs): user=, method=PLAIN, rip=10.56.202.97, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 11:09:48 97681bea8fe1 dovecot: imap-login: Login: user=, method=PLAIN, rip=10.56.202.97, lip=172.22.1.250, mpid=185, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) May 27 11:09:48 97681bea8fe1 dovecot: imap(user@domain.com): Disconnected: Logged out in=9 out=530 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 May 27 11:09:49 97681bea8fe1 dovecot: imap-login: Login: user=, method=PLAIN, rip=10.56.202.97, lip=172.22.1.250, mpid=188, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)

**smtpd_sasl_exceptions_networks** for postfix helped a little. Blocks sending messages. But I didn’t close the authorization :(

> @"ILGVA"#p15973 I want to disable authorization by any method (SOG, Thunderbird, Outlook) for pc located outside the local network. Do you have a firewall in front of mailcow? That would be the easiest way. And why exactly do you want to disable only authorization, but not the actual protocols?

@"esackbauer"#p16040 I don't have access to other hardware other than the server with mailcow. It’s faster to figure out how to do everything on the server than to gain access to the firewall. > And why exactly do you want to disable only authorization, but not the actual protocols? I thought I could do it faster and easier :D I thought it would be something like `hostlist relay_from_hosts = localhost:127.0.0.0/8:192.168.168.0/24`

block authorization outside the local network

ILGVA

Thanks everyone. Configured everything on the firewall.
I think allow_nets did not work because mailcow docker-compose used mailcow/dovecot:1.28.2. Allow_nets works with version 2.2.13

there is problem in configuration of few basic firewall like ufw/firewalld, you will need to do some extra work.

Yes, ufw for mailcow did not work without additional settings. It confused me at first.

Not sure, but why you did not explain your thoughts, why you are doing this?

After all these messages, I don’t even know anymore 😃
I wanted to see options without a firewall. Experiment

stefan21

Sorry for pushing this up again.

We are using mailcow only locally - no access from the internet allowed, except VPN. While checking the postfix-logs a lot of i.e. “ SASL LOGIN authentication failed: (reason unavailable)” are occurring. From https://www.postfix.org/postconf.5.html there is a parameter which should help to prevent this noise:

smtpd_sasl_exceptions_networks (default: empty)

What remote SMTP clients the Postfix SMTP server will not offer AUTH support to.

Some clients (Netscape 4 at least) have a bug that causes them to require a login and password whenever AUTH is offered, whether it's necessary or not. To work around this, specify, for example, $mynetworks to prevent Postfix from offering AUTH to local clients.

Specify a list of network/netmask patterns, separated by commas and/or whitespace. The mask specifies the number of bits in the network part of a host address. You can also specify "/file/name" or "type:table" patterns. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a table entry matches a lookup string (the lookup result is ignored). Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude an address or network block from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

Note: IP version 6 address information must be specified inside [] in the smtpd_sasl_exceptions_networks value, and in files specified with "/file/name". IP version 6 addresses contain the ":" character, and would otherwise be confused with a "type:table" pattern.

Example:

smtpd_sasl_exceptions_networks = $mynetworks

This feature is available in Postfix 2.1 and later.

I understand that this parameter in mailcow has to be defined in data/conf/postfix/extra.cf. If I want to exclude all networks except 10.2.3.*, for example, would this work:

smtpd_sasl_exceptions_networks = !10.2.3.0/24

Thank’s for any help/hints.

« Previous Page