Yes. Remove permit_sasl_authenticated and permit_mynetworks. Then add the following rule instead, immediately BEFORE reject_unauth_destination: check_sender_access hash:/etc/postfix/relay_auth
Inside the file relay_auth, which must be postmap:ed, you have the following: yourdomain.com: permit_sasl_authenticated, reject This means when a outsider tries to send from lets say t...@yourdomain.com to someot...@yourdomain.com without authentication, the rule evaluated will be: " permit_sasl_authenticated, reject, reject_unauth_destination" The word "reject" comes before "reject_unauth_destination", thus the mail will be rejected despite being to a allowed domain. If you instead tries to send from a non-"yourdomain.com" domain, then the check_sender_access will be skipped, and you will be allowed to send mail to local accounts. This also have another advantage: authenticated accounts CANNOT send from another domain than your domain. You can try for yourself. Try telnetting to this server: dns2.sebbe.eu which is my mail server. Then try to see if you can send spoofed mail originating from some account inside @sebbe.eu to sebast...@sebbe.eu (I however use IP authentication, eg only mynetworks are allowed to relay, instead of account authentication) -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Catalin Badirca Skickat: den 18 maj 2016 20:53 Till: D'Arcy J.M. Cain <da...@vex.net> Kopia: postfix-users@postfix.org Ämne: Re: Telnet auth I will try to be more specific. Create an test account that can send emails from postfix. Telnet on the postfix machine on port 25. Now send an email from that test account to any other valid email on your domain. You will see that you are allowed to do so without authentication. The whole world can do that. I don't think you will want emails to be sent on your user's behalf inside your domain. Is there any way postfix can stop that ? > On 18 May 2016, at 14:08, D'Arcy J.M. Cain <da...@vex.net> wrote: > > On Wed, 18 May 2016 13:22:49 +0300 > Catalin Badirca <badi...@yahoo.com> wrote: >> I've tried your suggestion and the issue remains. Someone could >> telnet into postfix and would be allowed to send mails from a valid >> address to another valid address in mydomain without authentication. >> >> Is there any way I can stop potential spam for mydomain ? > > What do you mean by "telnet into postfix"? Are you saying that valid > users on your system are spamming your other users? All you can do > there is monitor your own house and slap anyone who does that. It > doesn't matter whether they spam their fellow users or the whole world. > your users are your responsibility but that's not a technical issue. > > If you mean that someone can connect to your port 25 and send your > users spam then yes, welcome to the twenty-first century and the spam > problem that everyone is fighting. That's the daily fight we all > have. There are a number of spam mitigation techniques that you can > try. None of them are 100% effective. You can block known spam > sites, use SPF, greylisting and other tools to slow down spam at the > SMTP level and spamassassin, bogofilter and other filters after to > catch suspected spam after it is accepted. Look at spam-fighting > sites for some ideas. > > If you do find a way to block 100% of all spam please tell us how. > Better yet, package it and sell it. You will be a billionaire. > > -- > D'Arcy J.M. Cain > System Administrator, Vex.Net > http://www.Vex.Net/ IM:da...@vex.net > VoIP: sip:da...@vex.net
smime.p7s
Description: S/MIME Cryptographic Signature
