This is what I was looking for. Thank you very very much Sebastien. I will try it right now and will post the result.
Sent from my iPhone > On 18 May 2016, at 22:07, Sebastian Nielsen <[email protected]> wrote: > > Yes. > Remove permit_sasl_authenticated and permit_mynetworks. > Then add the following rule instead, immediately BEFORE > reject_unauth_destination: > check_sender_access hash:/etc/postfix/relay_auth > > Inside the file relay_auth, which must be postmap:ed, you have the > following: > > yourdomain.com: permit_sasl_authenticated, reject > > This means when a outsider tries to send from lets say [email protected] > to [email protected] without authentication, the rule evaluated will > be: > " permit_sasl_authenticated, reject, reject_unauth_destination" > The word "reject" comes before "reject_unauth_destination", thus the mail > will be rejected despite being to a allowed domain. > If you instead tries to send from a non-"yourdomain.com" domain, then the > check_sender_access will be skipped, and you will be allowed to send mail to > local accounts. > > This also have another advantage: authenticated accounts CANNOT send from > another domain than your domain. > > You can try for yourself. Try telnetting to this server: dns2.sebbe.eu which > is my mail server. > Then try to see if you can send spoofed mail originating from some account > inside @sebbe.eu to [email protected] > > (I however use IP authentication, eg only mynetworks are allowed to relay, > instead of account authentication) > > -----Ursprungligt meddelande----- > Från: [email protected] > [mailto:[email protected]] För Catalin Badirca > Skickat: den 18 maj 2016 20:53 > Till: D'Arcy J.M. Cain <[email protected]> > Kopia: [email protected] > Ämne: Re: Telnet auth > > I will try to be more specific. Create an test account that can send emails > from postfix. Telnet on the postfix machine on port 25. Now send an email > from that test account to any other valid email on your domain. You will see > that you are allowed to do so without authentication. The whole world can do > that. > I don't think you will want emails to be sent on your user's behalf inside > your domain. > > Is there any way postfix can stop that ? > > >> On 18 May 2016, at 14:08, D'Arcy J.M. Cain <[email protected]> wrote: >> >> On Wed, 18 May 2016 13:22:49 +0300 >> Catalin Badirca <[email protected]> wrote: >>> I've tried your suggestion and the issue remains. Someone could >>> telnet into postfix and would be allowed to send mails from a valid >>> address to another valid address in mydomain without authentication. >>> >>> Is there any way I can stop potential spam for mydomain ? >> >> What do you mean by "telnet into postfix"? Are you saying that valid >> users on your system are spamming your other users? All you can do >> there is monitor your own house and slap anyone who does that. It >> doesn't matter whether they spam their fellow users or the whole world. >> your users are your responsibility but that's not a technical issue. >> >> If you mean that someone can connect to your port 25 and send your >> users spam then yes, welcome to the twenty-first century and the spam >> problem that everyone is fighting. That's the daily fight we all >> have. There are a number of spam mitigation techniques that you can >> try. None of them are 100% effective. You can block known spam >> sites, use SPF, greylisting and other tools to slow down spam at the >> SMTP level and spamassassin, bogofilter and other filters after to >> catch suspected spam after it is accepted. Look at spam-fighting >> sites for some ideas. >> >> If you do find a way to block 100% of all spam please tell us how. >> Better yet, package it and sell it. You will be a billionaire. >> >> -- >> D'Arcy J.M. Cain >> System Administrator, Vex.Net >> http://www.Vex.Net/ IM:[email protected] >> VoIP: sip:[email protected] > >
