On 12/31/2014 12:49 AM, li...@rhsoft.net wrote: > > Am 31.12.2014 um 05:58 schrieb Thom Miller: >> On 12/30/2014 09:35 PM, Jonathan Hermann wrote: >>> Ok, then it's by design. So spamassassin/amavis will have to do. > > don't get me wrong but re-consider setup a complex, public reachable > mailserver without have *basic* understanding how email works at all > > otherwise you would not wonder that gmail, hotmail and all the others > don't need the auth credentials of each and every user to send him his > mails from their users > >>> Am 28.12.2014 um 21:50 schrieb Wietse Venema: >>>> Jonathan Hermann: >>>>> I can send mail from an external source (e.g. mail client on my >>>>> notebook) to a local user (local on my mailserver) without >>>>> authentication. I'm not sure, is this by design? >>>> By default, *any* system can send mail to a local address. Postfix >>>> normally requires client authentication only when a client wants >>>> to send mail to a remote address. >>>> >> If you don't want to receive any mail from other mail servers to your >> postfix, you could blacklist all ips with postscreen >> http://www.postfix.org/postscreen.8.html and make your authenticated >> connections to port 587 with Thunderbird or whatever clients you choose. >> >> Not certain if that's what you're looking for but I get the impression >> you do not expect incoming mail to Postfix > > uhm if you don't want to receive from outside then just don't open port > 25 in the firewall or even remove the smtp line from master.cf so that > postfix even don't listen on port 25 - but for no vali dreason start to > configure postscreen > > or just require auth in main.cf globally > > smtpd_recipient_restrictions = permit_mynetworks > reject_non_fqdn_recipient > reject_non_fqdn_sender > reject_unlisted_sender > reject_authenticated_sender_login_mismatch > permit_sasl_authenticated > reject >
I think your solution is much easier, but since he's using Fetchmail which I believe uses SMTP to talk to his mail server, he'll need to leave the smtp line in master.cf. Blocking 25 at the firewall is fine. Requiring auth on 25 would require Fetchmail to be configured to authenticate to forward what it brings in, which I'm sure it can do. Postscreen only came to mind as a first thought because I was actively making changes to it right before I read the message. Blocking at the firewall is probably the best choice. -Thom
