Carlos Williams put forth on 12/4/2009 1:08 PM: > I was just thinking today that if anyone knew a valid email address on > my Postfix mail server, anyone could simply telnet to it (assuming > they're on a trusted network / mynetworks) and send mail posed as that > valid email address. I know this is not a huge security deal since > it's come from a client listed in the mynetworks parameter but > sometimes we have not so nice people we are forced to trust. Does this > sound correct to anyone here? Normally on any mail client you need a > username / password to send / receive email for a specific user but in > the case of Telnet or just sending, it appears this is not required. > Is there something I over looked?
Disallow submission on port 25, only allow submission on 587 with auth. This solves the "possible nefarious submission" issue, but requires that all clients be reconfigured to use 587 with uname and passwd. This can be fairly easily accomplished in a corporate environment with remote management tools. -- Stan
