Thx for the reply
> Questions similar to yours come up fairly often, I'm not sure why
> noone's jumped in yet with a rough solution that will do what you
> want. What you've mentioned you want:
>
>> How do I ensure that my mail server can only send mails either to or
>> from mydomains?
>
> I *think* the short, correct answer is to use a policy server:
> http://www.postfix.org/SMTPD_POLICY_README.html
I will look into those then
>> When I add the following to main.cf, this should perform the check, so
>> only people I know are allowed to send through postfix and they can
>> send anywhere. This should also prevent anyone to send mail from an
>> address that isn't one of mine.
>>
>> smtpd_reject_unlisted_recipient = no
>> smtpd_reject_unlisted_sender = yes
>> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>> smtpd_sender_restrictions =
>> Unfortunately, it does not work.
>
> When you report that something doesn't work, it's best to provide log
> entries that support what you're saying. Basically, it's most helpful
> if you:
> 1. Describe what you expected to happen
> 2. Describe what you saw actually happened.
> 3. Show the log entries so we can see what happened.
With the current configuration I'd expect some sort of 'denied'
message for MAIL FROM: when it is not in mydomains
instead I get '250 2.1.0 Ok' when specifying a MAIL FROM that is not
in mydomains
For example:
Config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination =
myhostname = server01.fonville-it.nl
mynetworks = 0.0.0.0
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions =
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_mailbox_domains = mail.fonville-it.nl, fonville-it.nl
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
virtual_transport = zarafa
Telnet session;
220 server01.fonville-it.nl ESMTP Postfix (Ubuntu)
ehlo fonville-it.nl
250-server01.fonville-it.nl
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <serge[DOT]fonville[AT]gmail[DOT]com>
250 2.1.0 Ok
RCPT TO: <sergefonville[AT]fonville-it[DOT]nl>
250 2.1.5 Ok
RSET
250 2.0.0 Ok
MAIL FROM: <sergefonville[AT]fonville-it[DOT]nl>
250 2.1.0 Ok
RCPT TO: <serge[DOT]fonville[AT]gmail[DOT]com>
554 5.7.1 <<serge[DOT]fonville[AT]gmail[DOT]com>: Relay access denied
QUIT
221 2.0.0 Bye
Log:
Jan 3 14:36:10 server01 postfix/smtpd[9110]: connect from localhost[127.0.0.1]
Jan 3 14:36:38 server01 postfix/smtpd[9110]: DF06F5302F:
client=localhost[127.0.0.1]
Jan 3 14:37:08 server01 postfix/smtpd[9110]: NOQUEUE: reject: RCPT
from localhost[127.0.0.1]: 554 5.7.1 <serge.fonvi...@gmail.com>: Relay
access denied; from=<sergefonvi...@fonville-it.nl>
to=<serge.fonvi...@gmail.com> proto=ESMTP helo=<fonville-it.nl>
Jan 3 14:37:13 server01 postfix/smtpd[9110]: disconnect from
localhost[127.0.0.1]
No particular logging is present, /var/log/mail.log only shows what is
also visible in the telnet session
>> mydestination =
> This is likely to be wrong. I can see you're using virtual mailboxes,
> but not having any local domains at all is odd.
I removed these in the many attempts
>> mynetworks = 0.0.0.0
> This is *definitely* very wrong! smtpd_recipient_restrictions will
> allow ANY client in mynetworks to relay mail to any destination. I
> don't know if using smtpd_reject_unlisted_sender would prevent
> anything going wrong here, but this is likely to make you an open
> relay.
I am aware of open relay, that's why it is no longer internet accessible
Thanks a lot for all the help so far
Regards,
Serge Fonivlle
--
http://www.sergefonville.nl
Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
