On 02/16/2010 08:08 AM, Joel Rosental R. wrote:
> I'm trying to avoid that somebody can connect to the email server and
> then send any email to my users without having to authenticate first.
>
So you don't want to receive mail from the internet? There is no way
possible to force all hosts to authenticate in order to send mail to
your server...well there is, but you certainly won't have a spam
problem, or any type of high volume problems either. ;-) Below you
actually explain, much better, the problem that you _are_ trying to solve.
> Right now, when i connect to it and try to send an email to the outside
> it ask me for password (which is fine), but if i try to send an email to
> anybody inside the domain (e.g: f...@mydomain.com) it send the email
> without any kind of authentication, so anybody could send fake emails
> and/or spam...
>
As the previous poster suggested, you'd be much better off to do this
via other methods than postfix itself...RBLs are a good place to start,
and then add a good content filter.
Anyway, you *can* do what you are asking for with
smtpd_sender_restrictions. The one(s) you are probably looking for are
reject{,_unauthenticated}_sender_login_mismatch. Read the docs to be
certain, ('man 5 postconf'), but be absolutely certain that this is what
you want to do as there are many pitfalls to adding this config option
on 25 (of course it is perfectly acceptable on submission, at least for
now).
There are tons of sites and services that send on behalf of your users,
and those messages will bounce if they are sent to say j...@foo.com, on
behalf of j...@foo.com. Lots of subscription sights use your own email
address in the mail form to verify that your email address is real, and
those will bounce. Your mobile/remote users will not be able to send to
any of your other users using any other SMTP server, so you absolutely
have to setup a separate postfix submission port to use in case 25 is
blocked from wherever they happen to be. If someone responds to a a
forwarding address on another server to one of your users, the delivery
will fail, and a bounce generated (which is backscatter that nobody
likes). There are others, but hopefully that is enough to make you take
the time to decide if it is right for your situation.
> I've read that maybe with this configuration i could achieve this:
<Snip>
No. Seeing as you already have to authenticate to relay, those must be
in place now. Have you even reviewed your current configuration?
> But i also heard from somebody that none MTA can distinguish if it's a
> client that is connecting using his MUA to send an email or it's a
> server trying to deliver an email to port 25.
>
>
Correct.
> So i'm a little confused here.
>
>
Keep reading, stay the course, it'll get much easier very quickly.
-- DJ Lucas
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
