On Wed, 10 Jul 2024 at 18:56, Serhii via Postfix-users < postfix-users@postfix.org> wrote:
> On 7/10/24 08:40, Gilgongo via Postfix-users wrote: > > As you can see, it goes straight to the MX of the domain of the > recipient. The same is true if I use mail.mailutils or other clients. So I > was wondering how I might both allow sending but also (reliably) prevent > abuse. Perhaps doing both isn't really possible? > > You can implement firewall rules preventing access to 25/tcp for other > users (not postfix and root): > > > iptables -A OUTPUT -m owner --gid-owner $postfix_gid_here -p tcp -m tcp > --dport 25 -j ACCEPT > > iptables -A OUTPUT -m owner --uid-owner 0 -p tcp -m tcp --dport 25 -j > ACCEPT > > iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with > icmp-port-unreachable > > Similar feature is possible via nftables, the syntax is following: > > nft 'add rule ip filter OUTPUT skgid $postfix_gid_here tcp dport 25 > counter accept> nft 'add rule ip filter OUTPUT skgid 0 tcp dport 25 counter > accept > > nft 'add rule ip filter OUTPUT tcp dport 25 counter reject' > Ah OK, thanks - I'll give that a go. Ideally I'd like to minimise the disruption for users who want to send out with their own clients, but I guess that would mean some kind of onvoluted local open relay proxy arrangement that's not worth constructing. I was just checking on the list that I'd not missed some "standard method" of restricting access :-) Jonathan
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
