Michael Grimm via Postfix-users:
> Hi,
>
> I would like to completely cut off all mail leaving my servers
> that have not originated from a FreeBSD jail running postfix (plus
> rspamd).
The text suggests that you will be rejecting (not discarding) messages.
> These are my measures taken sofar:
>
> #) Using FreeBSD's pf firewall functionality to block all traffic leaving my
> servers via ports 25, 465, and 587, respectively, that has not originated
> in a FreeBSD jail running postfix
Presumably, pf cannot prevent a non-Postfix pdocess from sendfing
email directly to remote port 25, 465, and 587.
> #) Disallow relaying except for SALS authenticated users:
> smtpd_relay_restrictions =
> permit_sasl_authenticated
> reject_unauth_destination
If enforced globally (in main.cf without master.cf overrides
that say otherwise), that will work as expected.
It will not prevent external mail to a local account that relays
messages with ~/.forward going out again. if that is a concern,
forwarding can be restricted creating forward files for authorized
users in a restricted directory and updating main.cf:forward_path
accordingly.
forward_path = /etc/mail/forwarding/$user
> #) Deny local mail submission to all users:
> authorized_submit_users =
That should also work as expected.
> All my test are showing that my goal has been achieved, *but* I
> may have overseen something I should prevent, as well. Have I?
Postfix implements is a qmqpd service, but that is disabled by
default. This service can be limited only by client IP address.
Postfix implements client impersonation witrh XCLIENT, but that
is disabled by default.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
