On Tue, Jul 14, 2009 at 2:28 PM, <proph...@vizion.occoxmail.com> wrote:
> Hi
>
> I am comparatively new to postfix and seem unable to get my
> configuration correct to ensure there are no open relays.
> For obvious reasons I am not posting from the network
> concerned! I set out below
> 1. Details of test with abuse.net
> 2. maillog entries for the test
> 3. network requirements for the server
> 4. entries in main.cf
>
> 1. A test with abuse.net produces the following:
>
> <<< 220 xxx.xxxxx.tld ESMTP Postfix (2.6.2)
>>>> HELO www.abuse.net
> <<< 250 xxx.xxxxx.tld
> Relay test 1
>
>>>> RSET
> <<< 250 2.0.0 Ok
>>>> MAIL FROM:<spamt...@abuse.net>
> <<< 250 2.1.0 Ok
>>>> RCPT TO:<x...@xxxx.tld>
> <<< 250 2.1.5 Ok
>>>> DATA
> <<< 354 End data with <CR><LF>.<CR><LF>
>>>> (message body)
> <<< 250 2.0.0 Ok: queued as 15F7234D421
>
> A report was received indication an open relay
>
> 2. The Maillog entry (abbreviated) shows:
> date time postfix/smptd[xxxx] connect from verify.abuse.net
> [xxxx] 15F7234D421
> client=verify.abuse.net
> /cleanup[xxxx] 15F7234D421 message-
> id=<rlytest-nnnn...@abuse.net
> /qmgr[xxxx] 15F7234D421 from
> =<spamt...@abuse.net>,size =1125, ncrpt=1 (queue active)
> /local [xxxx] 15F7234D421
> to=<x...@mydomain.tld>, relay = local,delay=0.41,delays
> =0.41/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
> /qmgr [xxxx] 15F7234D421 removed
> /smptd [xxxx] disconnect from
> verify.abuse.net[IP]
>
this seems to show the test message being delivered to a local
mailbox. if you are testing relay using an address that the server
should accept mail for, and it accepts it, that is not an open relay.
that is a mail server accepting mail as it should. what matters is
how the server behaves when you try to deliver to a non local
recipient. unless I am just missing something, I think youre doing
the test wrong.
> 3. The mail server is freebsd 7.2 and intended to be the
> primary mail server for a small local network for its own
> domain and supports mail for multiple virtual domains. The
> virtual domains are specified in virtual_alias_domains. The
> server also runs qpopper to provide pop3 service to the
> local network.
>
> 4. Entries from main.cf
> relay_domains = $mydestination [mydomain].tld
> smptd_recipent_restrictions = permit_mynetworks,
> reject_unauth_destinations
> ###
> ### NOTE I tried adding
> ### { smptd_client_restrictions = permit_mynetworks, reject}
> ### WHICH solved the open relay problem but hardly any mail
> got through from the internet!!!
> smptd_sender_restrictions = reject_unknown_sender_domain
> smptd_sender_restrictions = reject_non_fqdn_sender
> smptd_helo_required = yes
> smptd_helo_restrictions = reject_invalid_hostname
> smptd_helo_restrictions = reject_non_fqdn_hostname
>
> mynetworks_style = subnet
>
> If anyone could point me in the right direction I would be
> most obliged
>
> Thanks in advance
>
> David
>
> David Southwell ARPS
> Photographic Artist
> Permanent Installations and Design
>
>
