Now I want to know what you mean with "potential source of spam". If you are afraid of the site getting hacked, theres nothing you can do, as with "local postfix", I assume both postfix and the website runs off the same machine. Regardless of which settings you do on the postfix, a attacker can then always neutralize those settings.
If you are talking about the website getting misused by spammers to send your files to users that haven't asked for them, I would suggest this: Add a captcha. You could use either Google's recaptcha service, or another good captcha system. This prevents automated spambots to use your service. Make sure the user is not allowed to upload files that can be later sent via email. This makes the service useless for advertising of third-party things. If you have some facility that allows uploading of files and its intended that users should later be able to mail these files, make sure that files cannot be selected for sending to email if you as a admin has not approved the file first. (This could technically be made by having a "pending" folder and a "email" folder. Newly uploaded files puts into the "pending" folder. When you as admin approve a file, you just move it from "pending" to "email" folder. Only files present in the "email" folder can be selected for sending via email). This prevents a spammer from uploading for example a HTML advertisement or a JPEG containing advertisement, or a virus, and then use your service to distribute the files. Needless to say, the user shouldn't be able to in any way customize the text in the email, and only one file and email address should be able to be specified at a time. Only allow one email per IP and E-mail address per day. This lock should be able to be released, see later about this. So if either IP or email address match a time-limited lock, the email is rejected. Add 2 links in the email. First link is "I approve this email. Release the lock". Second link is "I don't approve this email. Unsubscribe or block.". When the user clicks the first link, the email address will be added to a "whitelist", and the IP-lock is removed. Any email that is in the whitelist Will not cause the client to get a 24 hour IP-lock. The link is one-use only. Any emails sent to a whitelisted address should NOT have the approve link. This is then a "confirmed opt-in" so the user can send unlimited files to himself, without getting IP-locked. If the user sends email to address he don't control, he have to wait 24 hour before sending a new email. Even if he first sends a email to his own address and clicks the link, the person Will not gain any advantage of this, since he only unlocks his own address. The second link, does not have any timelimit, and unlimited number of uses, will remove the email address from any whitelist. If the email was NOT on whitelist, the user in question will be permanently IP-banned, and the email is then put on a blacklist so it cannot receive email from your site anymore. (This means that if you want to go straight from whitelist to blacklist, you have to click the link 2 times, this allows the user to unsubscribe without getting banned) By having this "double-opt-in" of each email, you basically make the service useless to a spammer since he can only send one email per day to email addresses he don't control, and unlimited Emails to addresses he control (but then its not spam). -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Eric Abrahamsen Skickat: den 20 december 2015 06:59 Till: postfix-users@postfix.org Ämne: Sanitizing email sent from webapp I have a server with postfix running my personal and work emails, alongside my company's website, which is written in Python/Django. The website has some "send an email through the webapp" functionality. Back when my work email was hosted as a Google App this was fine, I just used Google's SMTP settings. Now email runs through the local postfix, and I shut off several of the functions until I had time to learn to set it up properly. I'm hoping someone here can give some pointers so that I can avoid turning the site into a potential source of spam. Right now the only functionality I've left running is automatic error emails, as that can only be sent to my address. Currently, the default SMTP settings in the Django site look like this: SERVER_EMAIL = post...@mycompany.com EMAIL_HOST = "localhost" EMAIL_HOST_USER = None EMAIL_HOST_PASSWORD = None DEFAULT_FROM_EMAIL = "My Company <post...@mycompany.com>" I don't think the above is an especially good idea, but given the circumstances it didn't seem too risky. Here's what I hope will be all the relevant postfix settings: myorigin = /etc/mailname append_dot_mydomain = no smtpd_use_tls = yes <omitting smtpd_tls options> myhostname = mail.ericabrahamsen.net mydomain = mail.ericabrahamsen.net mydestination = localhost.ericabrahamsen.net, mail.ericabrahamsen.net, localhost, mail.mycompany.com, localhost.mycompany.com, <servername> mynetworks = 127.0.0.0/8 smtpd_helo_required = yes smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender check_policy_service inet:localhost:12340 smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/access, reject_unknown_sender_domain, reject_sender_login_mismatch smtpd_data_restrictions = reject_unauth_pipelining smtpd_sender_login_maps = $virtual_mailbox_maps smtpd_banner = $myhostname ESMTP I need to add two new email functions (each of which can have their own smtp settings): 1. Allow visitors to send an email to one of us in the company (local delivery only, email should appear to come from i...@mycompany.com) 2. Allow visitors to email themselves selected files from my server (delivery to anywhere, email should appear to come from p...@mycompany.com) Obviously the second one is the one I'm worried about -- it could potentially turn into an open relay. Django does quite a bit of work to prevent firehose emailing, but still. I've got spamassassin running, and it does okay. But I don't know how to make 100% sure that mail sent through both of the above functions gets spam filtered. Should I be routing mail through special transports? I'm also worried that the fact I've got "permit_mynetworks" in all the smtpd_*_restrictions lists means that postscreen etc isn't going to run, and a whole lot of spam is going to get through. Anyway, apologies for the very long message. Any advice would be very welcome! Thanks, Eric
smime.p7s
Description: S/MIME Cryptographic Signature