This is what I was looking for. Thank you very very much Sebastien. I will try
it right now and will post the result.
Sent from my iPhone
> On 18 May 2016, at 22:07, Sebastian Nielsen wrote:
>
> Yes.
> Remove permit_sasl_authenticated and permit_mynetworks.
> Then add the following rule instead, immediately BEFORE
> reject_unauth_destination:
> check_sender_access hash:/etc/postfix/relay_auth
>
> Inside the file relay_auth, which must be postmap:ed, you have the
> following:
>
> yourdomain.com: permit_sasl_authenticated, reject
>
> This means when a outsider tries to send from lets say t...@yourdomain.com
> to someot...@yourdomain.com without authentication, the rule evaluated will
> be:
> " permit_sasl_authenticated, reject, reject_unauth_destination"
> The word "reject" comes before "reject_unauth_destination", thus the mail
> will be rejected despite being to a allowed domain.
> If you instead tries to send from a non-"yourdomain.com" domain, then the
> check_sender_access will be skipped, and you will be allowed to send mail to
> local accounts.
>
> This also have another advantage: authenticated accounts CANNOT send from
> another domain than your domain.
>
> You can try for yourself. Try telnetting to this server: dns2.sebbe.eu which
> is my mail server.
> Then try to see if you can send spoofed mail originating from some account
> inside @sebbe.eu to sebast...@sebbe.eu
>
> (I however use IP authentication, eg only mynetworks are allowed to relay,
> instead of account authentication)
>
> -Ursprungligt meddelande-
> Från: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] För Catalin Badirca
> Skickat: den 18 maj 2016 20:53
> Till: D'Arcy J.M. Cain
> Kopia: postfix-users@postfix.org
> Ämne: Re: Telnet auth
>
> I will try to be more specific. Create an test account that can send emails
> from postfix. Telnet on the postfix machine on port 25. Now send an email
> from that test account to any other valid email on your domain. You will see
> that you are allowed to do so without authentication. The whole world can do
> that.
> I don't think you will want emails to be sent on your user's behalf inside
> your domain.
>
> Is there any way postfix can stop that ?
>
>
>> On 18 May 2016, at 14:08, D'Arcy J.M. Cain wrote:
>>
>> On Wed, 18 May 2016 13:22:49 +0300
>> Catalin Badirca wrote:
>>> I've tried your suggestion and the issue remains. Someone could
>>> telnet into postfix and would be allowed to send mails from a valid
>>> address to another valid address in mydomain without authentication.
>>>
>>> Is there any way I can stop potential spam for mydomain ?
>>
>> What do you mean by "telnet into postfix"? Are you saying that valid
>> users on your system are spamming your other users? All you can do
>> there is monitor your own house and slap anyone who does that. It
>> doesn't matter whether they spam their fellow users or the whole world.
>> your users are your responsibility but that's not a technical issue.
>>
>> If you mean that someone can connect to your port 25 and send your
>> users spam then yes, welcome to the twenty-first century and the spam
>> problem that everyone is fighting. That's the daily fight we all
>> have. There are a number of spam mitigation techniques that you can
>> try. None of them are 100% effective. You can block known spam
>> sites, use SPF, greylisting and other tools to slow down spam at the
>> SMTP level and spamassassin, bogofilter and other filters after to
>> catch suspected spam after it is accepted. Look at spam-fighting
>> sites for some ideas.
>>
>> If you do find a way to block 100% of all spam please tell us how.
>> Better yet, package it and sell it. You will be a billionaire.
>>
>> --
>> D'Arcy J.M. Cain
>> System Administrator, Vex.Net
>> http://www.Vex.Net/ IM:da...@vex.net
>> VoIP: sip:da...@vex.net
>
>