Antonis Rizopoulos a écrit : > Hello, > > I have a mail server with one virtual domain and some virtual users. > The configuration of my server is: > Postfix + Cyrus-SASL + Courier-IMAP + ClamAV + SpamAssassin + Amavis + > Horde webmail > > All of the above works almost perfectly. The users can send/receive > mails, authenticate using saslauthd, connect via pop3, pop3s, imap, > imaps to receive emails and via smtp, smtps to send emails, amavis > content filter works fine.... > > I have one only question: > > When I connect to my server, from different networks, to port 25 I am > able to send emails to local users only without authenticate! It's like > bypassing Cyrus-SASL. > I know, of course, that I cannot block access to that port and allow > only authenticated users to send emails, because I won't receive mails > from web sites. But I think this is a huge security issue for my mail > server. > > I believe one fine solution to this issue would be like that: > > Somehow, when the command MAIL FROM:<u...@domani.tld> is executed, > Cyrus-SASL checks if User is found in the database, and if so, force > him to execute the AUTH command, otherwise (therefore the mail is sent > via webmail, so the user is unknown) allow to sent the email without any > authentication. >
search for reject_sender_login_mismatch and related parameters. better yet: tell users to use port 587 (the standard submission port) then you could reject all mail on port 25 if the sender is in your domain. of course, make sure all hosts that need to send using this domain use port 25 or are whitelisted. > I'm currently using spamhouse rbl's (smtpd_restrictions = ...) to block > some IP's but this isn't a perfect solution as you cannot include all > the possible domains... > checking the sender won't help you much. don't spend too much time on measures that will stop a small percentage of junk.
