Hello, and thank you in advance for your time!
I have been setting up a mail server since more than a week and after
reading several posts/articles and some pages of the Postfix manual,
I'm a little confused about how to setup the security.
The mail server is outside my LAN and it will be used to serve some
domains, with maybe 10 users per domain.
This is my main.cf (restrictions):
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,
# reject_unknown_sender_domain,
# reject_unknown_recipient_domain,
reject_unauth_destination,
reject_invalid_helo_hostname,
reject_unlisted_recipient,
reject_unlisted_sender,
reject_invalid_hostname,
# reject_non_fqdn_hostname,
# reject_unknown_client_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit
I commented those lines after reading in this mailing list that was
not a good idea for a mail server that will receive/send mails from
internet.
I wanted to force the users to authenticate, in order to send mails, with:
#smtpd_client_restrictions = permit_sasl_authenticated,reject
But for some reason, when I use that line, and I send a mail from
gmail to one of the test accounts, it is bounced with an "Client host
rejected: Access denied" error.
I thought it was only for those wishing to use the SMTP server for
sending emails... but it is not... right?
So, what I don't understand about the restrictions is:
If I don't include the "smtpd_client_restrictions =
permit_sasl_authenticated,reject" line,
anyone can use my SMTP to send emails without authentication if it is
not rejected by other rules (e.g., reject_unlisted_sender, etc.)
Even with " smtpd_client_restrictions" rule, If I use that server as
SMTP server, I can send an email to a local account:
(t...@myhostname.com) without authentication! (and outside
mynetworks). Why is that possible?
Thank you!
