You're right, I'm not the big mail server expert. And sometimes I pose
basic questions. But I'm asking since I want functionality AND security
to work. No-one likes spam. So thanks to those who provided valuable
input I was able to achieve both, according to several open mail relay
tests (from mailradar and others).
Thanks again :)
Am 31.12.2014 um 09:33 schrieb Thom Miller:
On 12/31/2014 12:49 AM, li...@rhsoft.net wrote:
Am 31.12.2014 um 05:58 schrieb Thom Miller:
On 12/30/2014 09:35 PM, Jonathan Hermann wrote:
Ok, then it's by design. So spamassassin/amavis will have to do.
don't get me wrong but re-consider setup a complex, public reachable
mailserver without have *basic* understanding how email works at all
otherwise you would not wonder that gmail, hotmail and all the others
don't need the auth credentials of each and every user to send him his
mails from their users
Am 28.12.2014 um 21:50 schrieb Wietse Venema:
Jonathan Hermann:
I can send mail from an external source (e.g. mail client on my
notebook) to a local user (local on my mailserver) without
authentication. I'm not sure, is this by design?
By default, *any* system can send mail to a local address. Postfix
normally requires client authentication only when a client wants
to send mail to a remote address.
If you don't want to receive any mail from other mail servers to your
postfix, you could blacklist all ips with postscreen
http://www.postfix.org/postscreen.8.html and make your authenticated
connections to port 587 with Thunderbird or whatever clients you choose.
Not certain if that's what you're looking for but I get the impression
you do not expect incoming mail to Postfix
uhm if you don't want to receive from outside then just don't open port
25 in the firewall or even remove the smtp line from master.cf so that
postfix even don't listen on port 25 - but for no vali dreason start to
configure postscreen
or just require auth in main.cf globally
smtpd_recipient_restrictions = permit_mynetworks
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unlisted_sender
reject_authenticated_sender_login_mismatch
permit_sasl_authenticated
reject
I think your solution is much easier, but since he's using Fetchmail
which I believe uses SMTP to talk to his mail server, he'll need to
leave the smtp line in master.cf. Blocking 25 at the firewall is fine.
Requiring auth on 25 would require Fetchmail to be configured to
authenticate to forward what it brings in, which I'm sure it can do.
Postscreen only came to mind as a first thought because I was actively
making changes to it right before I read the message. Blocking at the
firewall is probably the best choice.
-Thom
