This post was full of misunderstandings. First, the Subject, there is
no such thing as "telnet email". telnet(1) is a commonly-available
TCP client, which can be used to make a connection to a process such
as smtpd(8).
On Fri, Dec 04, 2009 at 02:08:46PM -0500, Carlos Williams wrote:
> I was just thinking today that if anyone knew a valid email address
> on my Postfix mail server,
Sender addresses are typically not checked for sending mail. Of
course there are numerous options to do so, but these are not the
defaults, and you would have had to consult some documentation to
even know that they exist.
> anyone could simply telnet to it
This is not "simple". It requires that the telnet user knows enough
of the SMTP protocol syntax to be able to send a message. Most
people do not.
> (assuming they're on a trusted network / mynetworks) and send mail
That is precisely what $mynetworks is for.
> posed as that valid email address.
ANY address. Quite possibly not even a valid one. This is how SMTP
was designed (arguably, misdesigned.)
> I know this is not a huge
> security deal since it's come from a client listed in the
> mynetworks parameter but sometimes we have not so nice people we
> are forced to trust. Does this sound correct to anyone here?
You pull the plug on anyone in $mynetworks who does something
naughty. MYnetworks means it is under your control. Use that, and be
quick to act against any abuser.
> Normally on any mail client you need a username / password to send
*If* authentication is required, such as for a sender coming from
outside $mynetworks, who wants to relay (to send to mail addresses
which are not handled by your server.) Otherwise, no.
> / receive email for a specific user
A MUA speaks IMAP to an imapd or POP3 to to a pop3d. Generally those
protocols require authentication. They're also irrelevant here on
postfix-users, since Postfix is not an IMAP or POP3 server.
> but in the case of Telnet or
> just sending, it appears this is not required.
A MUA inside $mynetworks is not required to authenticate to send. It
does the same thing you might do with telnet, except that the people
who wrote your MUA software most likely have spent more time reading
SMTP RFCs than you did, so it might be a bit better at it. It will
definitely do it faster than you could type manual commands.
> Is there something I over looked?
Maybe just lacking the Big Picture on what email is and how it works?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
