If you do not accept submission on port 25, you could add a sender_access map to the service on port 25
smtpd_sender_restrictions = ... check_sender_access hash:/etc/postfix/sender_access ... and in said file list your domains each with action "reject" Am 18.05.2016 um 12:22 schrieb Catalin Badirca: > Thank you very much for your time and sorry for the long response time. > > I've tried your suggestion and the issue remains. Someone could telnet into > postfix and would be allowed to send mails from a valid address to another > valid address in mydomain without authentication. > > Is there any way I can stop potential spam for mydomain ? > > Thabk you ! > > Sent from my iPhone > >> On 16 May 2016, at 20:21, /dev/rob0 <r...@gmx.co.uk> wrote: >> >>> On Mon, May 16, 2016 at 07:25:54PM +0300, Catalin Badirca wrote: >>> I am breaking my head trying to solve the following thing. I have a >>> Postfix server that accepts mail from $mydomain and delivers for >> >> "From $mydomain" probably has nothing to do with it. >> >>> standard $mydestination. I also have smtp_relay_redtriction to >> >> smtpd_relay_restrictions, spelling DOES count, and be especially >> aware of the "smtp_* != smtpd_" issue. >> >>> allow sasl and reject other destinations than $mydomain. Standard >> >> s/mydomain/mydestination/ , that is. >> >>> until now. The thing is: if i telnet to the machine and try to send >>> mail from a valid address to another valid address in $mydomain i >>> can do it without beeing forced to authenticate. I can easily force >>> reject instead of reject_unauth_destination and tale care of this >>> but then no emails for me. >>> >>> Does anyone know a solution for this please ? >> >> It's quite simple, actually. >> >> Do not accept user submission on port 25. Remove all permit_* >> restrictions from the global configuration. Don't advertise nor >> accept AUTH on port 25. >> >> Do not accept mail exchange on port 587. >> >> main.cf: >> ... >> smtpd_relay_restrictions = reject_unauth_destination >> submission_relay_restrictions = permit_sasl_authenticated, reject >> # smtpd_sasl_auth_enable is "no" by default, so omit that, but >> # other smtpd_sasl_* settings can go here >> ... >> >> master.cf: >> ... >> submission inet n - n - - smtpd >> -o smtpd_tls_auth_only=yes >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_recipient_restrictions= >> -o smtpd_relay_restrictions=$submission_relay_restrictions >> -o milter_macro_daemon_name=ORIGINATING >> -o syslog_name=postfix/submission >> ... >> >> (That example assumes that TLS is set up for smtpd.) >> >> Yes, someone can still "telnet" to port 25 and send mail to your >> addresses/users. That's what mail exchange is. Nothing is magic >> about telnet, it is just one of many ways to make a TCP connection. >> That's the same thing a MTA client will do when delivering mail on >> behalf of their user to one of your addresses. >> -- >> http://rob0.nodns4.us/ >> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
