Wietse Venema via Postfix-users <[email protected]> wrote: > Michael Grimm via Postfix-users:
>> I would like to completely cut off all mail leaving my servers >> that have not originated from a FreeBSD jail running postfix (plus >> rspamd). > > The text suggests that you will be rejecting (not discarding) messages. You are right. Sorry, my bad. >> These are my measures taken sofar: >> >> #) Using FreeBSD's pf firewall functionality to block all traffic leaving my >> servers via ports 25, 465, and 587, respectively, that has not originated >> in a FreeBSD jail running postfix > > Presumably, pf cannot prevent a non-Postfix pdocess from sendfing > email directly to remote port 25, 465, and 587. Yes, that's impossible (to my knowledge). Any process in that jail trying to send spam will pass that firewall rules, sadly. But processes at the host or in my other jails trying to send spam will become blocked. >> #) Disallow relaying except for SALS authenticated users: >> smtpd_relay_restrictions = >> permit_sasl_authenticated >> reject_unauth_destination > > If enforced globally (in main.cf without master.cf overrides > that say otherwise), that will work as expected. It is enforced globally. In master.cf I do have the identical restriction: submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_chain_files=/usr/local/etc/certs/mail/ECC.pem -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING > It will not prevent external mail to a local account that relays > messages with ~/.forward going out again. if that is a concern, I am the only user with access to my servers. I have double checked, there are no left over ~/.forward files available, but ... > forwarding can be restricted creating forward files for authorized > users in a restricted directory and updating main.cf:forward_path > accordingly. > > forward_path = /etc/mail/forwarding/$user .. I have added the following to main.cf because I don't need .forward. # disable user-specified delivery methods forward_path = But I am not sure if the following will completely prevent .forward deliveries. Please correct me if I am mistaken. >> #) Deny local mail submission to all users: >> authorized_submit_users = > > That should also work as expected. Thanks for your confirmation. >> All my test are showing that my goal has been achieved, *but* I >> may have overseen something I should prevent, as well. Have I? > > Postfix implements is a qmqpd service, but that is disabled by > default. This service can be limited only by client IP address. > > Postfix implements client impersonation witrh XCLIENT, but that > is disabled by default. Ok, both are disabled on my hosts. Thanks and regards, Michael _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
