I'm looking for information on restricting users who send mail through our MX servers to authenticated users only, we currently use SASL2/MySQL to store valid user info, I'll try to include as much info as possible.
The reason I ask is because it seems that as long as the domain is found in the recipient map, it allows unauthenticated sessions to send mail, see below. 220 mxxx.mail.xxx ESMTP Postfix HELO laydbackpc 250 mx11.mail.xxx mail from: wal...@amhosting.com 250 Ok rcpt to: walter.pi...@amhosting.com 501 Syntax: RCPT TO: <address> rcpt to: walter.pi...@amhosting.com 250 Ok data 354 End data with <CR><LF>.<CR><LF> tset . 250 Ok: queued as 6A20F2C227 quit 221 Bye smtpd.conf log_level: 0 pwcheck_method: auxprop mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 auxprop_plugin: sql sql_engine: mysql sql_hostnames: localhost sql_database: xxx sql_user: xxx sql_passwd: xxx sql_select: SELECT userpassword FROM smtpauth WHERE username = '%...@%r' sql_usessl: no postconf -n [r...@mx postfix]# postconf -n alias_maps = anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix in_flow_delay = 0 inet_interfaces = x.x.x.x initial_destination_concurrency = 10 local_destination_concurrency_limit = 10 local_recipient_maps = local_transport = error:local mail delivery disabled mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man maximal_backoff_time = 90m maximal_queue_lifetime = 5d message_size_limit = 14500000 mime_header_checks = $header_checks minimal_backoff_time = 45m mydestination = mydomain = mx.mail.xxx myhostname = mx.mail.xxx mynetworks = 127.0.0.0/16 myorigin = hostrack.net nested_header_checks = newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 120s readme_directory = /var/www/html/postfix relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf relocated_maps = hash:/etc/postfix/relocated sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 45s smtpd_client_connection_count_limit = 30 smtpd_client_recipient_rate_limit = 100 smtpd_data_restrictions = reject_multi_recipient_bounce permit smtpd_error_sleep_time = 0 smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_overshoot_limit = 20 smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/roleaccounts check_client_access hash:/etc/postfix/access check_client_access hash:/etc/postfix/whitelist check_client_access hash:/etc/postfix/whiners permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname check_policy_service inet:127.0.0.1:12525 check_policy_service unix:private/spf permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/domains/localhost main.cf command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = /var/www/html/postfix mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /var/www/html/postfix sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop unknown_local_recipient_reject_code = 550 ############################################################## # start of my stuff # mydomain = mx.mail.xxx myhostname = mx.mail.xxx myorigin = hostrack.net mynetworks = 127.0.0.0/16 mydestination = inet_interfaces = x.x.x.x x.x.x.x 127.0.0.1 smtpd_recipient_limit = 100 smtpd_client_recipient_rate_limit = 100 smtpd_client_connection_count_limit = 30 smtpd_recipient_overshoot_limit = 20 default_destination_concurrency_limit = 10 initial_destination_concurrency = 10 local_destination_concurrency_limit = 10 plesk_destination_concurrency_limit = 5 cpanel_destination_concurrency_limit = 5 queue_run_delay = 120s minimal_backoff_time = 45m maximal_backoff_time = 90m maximal_queue_lifetime = 5d anvil_rate_time_unit = 180s in_flow_delay = 0 bounce_size_limit = 1500 message_size_limit = 14500000 smtp_connect_timeout = 45s helocheck_time_limit = 7200 smtpd_error_sleep_time = 0 smtpd_helo_required = yes disable_vrfy_command = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_local_domain = $myhostname smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s tls_random_source = dev:/dev/urandom smtpd_etrn_restrictions = reject smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/roleaccounts check_client_access hash:/etc/postfix/access check_client_access hash:/etc/postfix/whitelist check_client_access hash:/etc/postfix/whiners permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname check_policy_service inet:127.0.0.1:12525 check_policy_service unix:private/spf permit helocheck_time_limit = 7200 smtpd_error_sleep_time = 0 smtpd_data_restrictions = reject_multi_recipient_bounce permit alias_maps = local_recipient_maps = relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf virtual_alias_maps = hash:/etc/postfix/domains/localhost transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf relocated_maps = hash:/etc/postfix/relocated local_transport = error:local mail delivery disabled relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf header_checks = regexp:/etc/postfix/header_checks mime_header_checks = $header_checks nested_header_checks = body_checks = regexp:/etc/postfix/body_checks -- Walter Pinto System Support / Administrator supp...@amhosting.com www.amhosting.com 4690 Longley Lane, Suite 34 Reno, NV 89502 775.331.3319 866.425.2035
