Re: is my server an open relay?
Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel.
Re: is my server an open relay?
Israel Garcia wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. if you know the IP addresses of your lots of different servers and domains, just use the mynetwork directive [1] And most important, RTFM [2] [1] http://www.postfix.org/postconf.5.html#mynetworks [2] http://www.postfix.org/STANDARD_CONFIGURATION_README.html -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: is my server an open relay?
Israel Garcia wrote: Yes, I did it, I put all my servers IPs inside mynetworks at main.cf...BUT I noticed that a user from any server can send mail using any sender and it's a big problem, because any user can send spam inside my network to Internet.. How can I block this user from sending mail with any sender address? regards, Israel. On Thu, Aug 20, 2009 at 8:07 AM, Udo Raderlist...@bestsolution.at wrote: Israel Garcia wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. if you know the IP addresses of your lots of different servers and domains, just use the mynetwork directive [1] And most important, RTFM [2] [1] http://www.postfix.org/postconf.5.html#mynetworks [2] http://www.postfix.org/STANDARD_CONFIGURATION_README.html please don't top post and please don't reply off-list. then, as suggested in http://www.postfix.org/DEBUG_README.html#mail show what postconf -n gives and post log excerpts for the described problem from the affected server. -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: is my server an open relay?
Serge, I mean I'm an open relay to my servers, becasue any user from any server can send mail putting any sender..I'm looking a way to block that... regards, Israel. On Thu, Aug 20, 2009 at 8:02 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Regards; Israel Garcia
Re: is my server an open relay?
My bad, I misunderstood the question, skimmed to the msg to fast ;-) Sorry 'bout that As mentioned read the section on mynetworks Regards, Serge Fonville On Thu, Aug 20, 2009 at 3:23 PM, Israel Garciaigalva...@gmail.com wrote: Serge, I mean I'm an open relay to my servers, becasue any user from any server can send mail putting any sender..I'm looking a way to block that... regards, Israel. On Thu, Aug 20, 2009 at 8:02 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Regards; Israel Garcia
Re: is my server an open relay?
This is the postconf -n on my smarthost server. server:/etc/postfix# postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 1024000 mydestination = myhostname = server.domain mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name transport_maps = hash:/etc/postfix/transport With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? regards, israel. On Thu, Aug 20, 2009 at 8:30 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: My bad, I misunderstood the question, skimmed to the msg to fast ;-) Sorry 'bout that As mentioned read the section on mynetworks Regards, Serge Fonville On Thu, Aug 20, 2009 at 3:23 PM, Israel Garciaigalva...@gmail.com wrote: Serge, I mean I'm an open relay to my servers, becasue any user from any server can send mail putting any sender..I'm looking a way to block that... regards, Israel. On Thu, Aug 20, 2009 at 8:02 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Regards; Israel Garcia -- Regards; Israel Garcia
Re: is my server an open relay?
Israel Garcia wrote: This is the postconf -n on my smarthost server. server:/etc/postfix# postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 1024000 mydestination = myhostname = server.domain mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name transport_maps = hash:/etc/postfix/transport With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? once more: please don't top post. And yet once more: please post log excerpts showing the misbehaviour (a user [...] sending mail from their servers using any server address). whay you you mean by any sender address? An IP address or an email address? And your problem is probably that you did not define who is allowed to use your server as a relay, read http://www.postfix.org/postconf.5.html#smtpd_client_restrictions it should be something like: smtpd_client_restriction = permit_mynetworks reject -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: is my server an open relay?
Israel Garcia wrote: This is the postconf -n on my smarthost server. server:/etc/postfix# postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 1024000 mydestination = myhostname = server.domain mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name transport_maps = hash:/etc/postfix/transport With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? You can prevent relaying by unwanted systems by properly specifying mynetworks. You can prevent access by unauthenticated users by using SASL on your smarthosts: http://www.postfix.org/SASL_README.html Although it's not appropriate for general use, you could prevent users from sending using bogus email addresses with by using Sender Address Verification on your own servers: http://www.postfix.org/ADDRESS_VERIFICATION_README.html Terry
Re: is my server an open relay?
Please stop the top-posting. On Thursday 20 August 2009 09:09:34 Israel Garcia wrote: This is the postconf -n on my smarthost server. myhostname = server.domain Typically myhostname should be a real DNS name, resolvable from outside, and should also be the valus of the PTR for the IP address. mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet 1. Munging essential information will make it impossible for you to get real help. 2. You're going to have to limit this to hosts that you TRUST. If that's the empty set, unset it: mynetworks =. myorigin = /etc/mailname Be sure to read your Debian README for Debian-specific information. transport_maps = hash:/etc/postfix/transport Why? With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? Did you know that this default behavior has always existed for mail systems? Did you know that this is a FAQ on this list, I believe already asked once this week? Is this an actual problem, or a theoretical one? If you have actual abusers (senders using external addresses are probably not real abusers, but that's for you to decide) revoke their access to your network. Political/social problems generally do not have solutions that are technological. The answer, repeated for you and yet again for the archives, is to require and enforce authentication, and use smtpd_sender_login_maps, listing sender addresses you allow for each SASL AUTH user. http://www.postfix.org/SASL_README.html http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps You then use reject_authenticated_sender_login_mismatch *before* permit_sasl_authenticated in your smtpd_recipient_restrictions. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: is my server an open relay?
check your server: http://www.mxtoolbox.com/ are you server open relay? You must use smtp autenticate. 2009/8/20 Israel Garcia igalva...@gmail.com: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Jose Alberto Pertuz GNU-Linux user #452473 Caracas,Venezuela 58+414+1279657
Re: is my server an open relay?
On Thu, Aug 20, 2009 at 11:32 AM, /dev/rob0r...@gmx.co.uk wrote: Please stop the top-posting. OK, I'm sorry. On Thursday 20 August 2009 09:09:34 Israel Garcia wrote: This is the postconf -n on my smarthost server. myhostname = server.domain DONE! Typically myhostname should be a real DNS name, resolvable from outside, and should also be the valus of the PTR for the IP address. mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet 1. Munging essential information will make it impossible for you to get real help. 2. You're going to have to limit this to hosts that you TRUST. If that's the empty set, unset it: mynetworks =. myorigin = /etc/mailname Be sure to read your Debian README for Debian-specific information. transport_maps = hash:/etc/postfix/transport Why? DELETED! With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? Did you know that this default behavior has always existed for mail systems? Did you know that this is a FAQ on this list, I believe already asked once this week? Is this an actual problem, or a theoretical one? If you have actual abusers (senders using external addresses are probably not real abusers, but that's for you to decide) revoke their access to your network. Political/social problems generally do not have solutions that are technological. theoretical. The answer, repeated for you and yet again for the archives, is to require and enforce authentication, and use smtpd_sender_login_maps, listing sender addresses you allow for each SASL AUTH user. http://www.postfix.org/SASL_README.html http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps You then use reject_authenticated_sender_login_mismatch *before* permit_sasl_authenticated in your smtpd_recipient_restrictions. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header well, here's my actual postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix disable_vrfy_command = yes inet_interfaces = all local_recipient_maps = local_transport = error:local mail delivery is disabled mailbox_size_limit = 1024000 mydestination = myhostname = vps198.domain.xxx mynetworks = 127.0.0.0/8 67.XXX.XX.0/24 myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = reject_unknown_sender_domain, check_client_access hash:/etc/postfix/access, permit_mynetworks, reject smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_error_sleep_time = 60 smtpd_hard_error_limit = 10 smtpd_helo_required = yes smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipients, permit_mynetworks, reject smtpd_restriction_classes = no_spam smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/blackwhitelist smtpd_soft_error_limit = 60 virtual_alias_maps = hash:/etc/postfix/virtual Now that I control all mail on this server, What would add to this configuration in order to improve the cuality of my mail service. Thanks. -- Regards; Israel Garcia
