On Sun, Dec 13, 2009 at 03:13:19PM -0200, Walter Breno wrote:
> i need to force everybody including local network users that uses mail
> clients and webmail to authenticate on smtp to send mails from my server , i
> has enables sasl_auth modules and authentication is working fine but when i
> set the option smtp_recipient_restrictions = permit_sasl_authenticated
---------------------^ you forgot the "d"
> reject my server stop to receive mail from external server like gmail and
Right, a "reject" like that is obviously unfit for a MX host.
> yahoo i've tried the option permit_auth_destination so if the final
> destination of emails is my domain the server doesn't require
> authentication, but here i have the security problem, if a machine on my
> network is infected with a virus or one spammer inside or outside my network
> will send spam to all users on my domain because the authentication is not
> required.
> what is the correct way to do that? i need to require authentication but the
> incoming can't be rejected.
Of course you should take quick action against abuse originating from
your networks. But, there are numerous ways to do what you're asking.
There is no "reject_mynetworks" restriction, but you could make one:
do a check_client_access lookup with a REJECT action between the
permist_sasl_authenticated and reject_unauth_destination.
You could also separate external MX from internal submission by IP
address or port. For either approach you need a separate smtpd(8)
listener defined in master.cf. There's a commented example for
submission (port 587) in your master.cf already.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
