how to disable OSX server 3 SMTP authentication

Question

Level 1

0 points

how to disable OSX server 3 SMTP authentication

Hi,

I upgraded my 10.5 server to 10.9 OSX server. The mail server is only used internally. I use a HP Multifuntion printer which I often use to scan documents and the printer would mail me the scans in PDF. In 10.9 the user have to authenticate in order to send mail via the SMTP server. Unfortunately the HP printer expects an open SMTP server.

I know that underneath OSX mail server Postfix is running. Is there a way to dissable SMTP authentication so I can us my multifunction printer to mail me the scanned documents again?

Posted on Dec 29, 2013 2:13 AM

Reply

Answer 1

Dec 29, 2013 6:21 PM in response to grijspetje

Something ike the following is how you can allow local clients to bypass the restrictions.

$ postconf -c /Library/Server/Mail/Config/postfix smtpd_client_restrictions

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

$ postconf -c /Library/Server/Mail/Config/postfix mynetworks

mynetworks = 127.0.0.0/8, [::1]/128

$

Basically, mynetworks is allowed onto the mail server without credentials. In your case, add the printer IP address into mynetworks, and your problematic printer should be able to connect to the printer. I'd be cautious about allowing unnecessary additional unauthenticated access, as — though your network is closed — there is malware around that looks for "open" SMTP servers and then starts generating spam via those servers.

Commands to modify these two settings — you may only need the second — would be akin to the following (replacing the 10.20.30.40 shown below with the address of your printer):

$ postconf -c /Library/Server/Mail/Config/postfix -e "smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit"

postconf -c /Library/Server/Mail/Config/postfix mynetworks -e "mynetworks = 127.0.0.0/8, [::1]/128, 10.20.30.40"

$

You'll then need to reload the Postfix server (once) to pick up the new settings:

sudo postfix reload

Reply

Answer 2

grijspetje Author

Level 1

0 points

Dec 30, 2013 4:42 AM in response to MrHoffman

MrHoffman,

Thank you very much for pointing me in the right direction. I added my network to the mynetwork parameter and still got an error on the mail server. This was what I found in the log:

NOQUEUE: reject: RCPT from hpprinter.warmoezier.home[192.168.XX.XX]: 504 5.5.2 <NPIB32ACB>: Helo command rejected: need fully-qualified hostname; from=<XXXXXXXXXX> to=<XXXXXXXXXX> proto=ESMTP helo=<NPIB32ACB>

(I removed my mail addresses from the printout. It seems that the HP printer doesnot provide the fqdn in the HELO command.

Then I replaced:

smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname

with:

smtpd_helo_restrictions = reject_invalid_helo_hostname

This solved my problem.

I gues I have to replace the network with the exact printer address in the mynetworks parameter to be on the safe side concerning openrelays in my private network.

I edited the main.cf directly without using the postconf command or should I have used postconf?

Thanks again for sharing your knowledge.

Peter.

P.s.

btw is the command in your post correct?

postconf -c /Library/Server/Mail/Config/postfix mynetworks -e "mynetworks = 127.0.0.0/8, [::1]/128, 10.20.30.40"

shouldn't it be:

postconf -c /Library/Server/Mail/Config/postfix -e "mynetworks = 127.0.0.0/8, [::1]/128, 10.20.30.40"

Reply

Answer 3

Dec 30, 2013 7:35 AM in response to grijspetje

The firmware in your printer is about as primitive as I've encountered for something claiming SMTP support. That's unfortunately only barely capable as an SMTP client, and probably a device that's only suitable for residential or small office use. (Larger organizations and those that are looking to keep a lid on SMTP mail activities will usually have these Postfix settings or similar settings on other mail servers enabled and locked down by default. Those organizations that are more security-conscious can be concerned about rogue firmware being loaded into these printers, too; there've been various printer exploits in recent years. But I digress.)

As with the earlier settings, you can bypass the HELO settings for specific hosts:

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname

As for your postscript, yes; that postconf for the mynetworks setting was a cut-and-paste error on my part.

Why not edit the configuration files directly? That works, certainly. I generally prefer to avoid directly editing various (particularly complex) configuration files. Mistakes can happen when the file is open for editing, and those mistakes can sometimes be more difficult to diagnose and resolve. With the command-line postconf-based approach, I can screw up just one line of the configuration file, and specifically only the line that I'm working on. Or the command line tool variously catches and prevents my error. If I have the file open in an editor session, well, we've probably all had the experience of accidentally adding or deleting a character, or adding a newline somewhere else. (e.g. that previous cut-and-paste mea culpa.)

Reply

Answer 4

grijspetje Author

Level 1

0 points

Dec 30, 2013 8:09 AM in response to MrHoffman

MrHoffman,

Thanks again for helping me out with your knowledge and kindness. I altered smtpd_helo_restrictions as you suggested and it works fine.

The printer is use in a small office and I agree that the SMTP client is quite archaic but yet I have to deal with it.

I configured the smtp server as tight as possible with your help. It saved me a lot of time!

Kind regards,

Peter

Reply