On 12/27/2011 06:45 AM, Glenn Sieb wrote:
Dear list,
While I have SASL set up on port 587, I recently found that foreign
IPs can connect, pretend to be, say, me, and send mail to my users.
SPF can catch this, but I think it's something that should/can be
caught by Postfix, no?
Can, yes. But not by default.
So I conclude I have fubar'd my SMTP config
somehow.
Not necessarily. You're probably looking for smtpd_helo_restrictions,
under which you can (among other things) reject remote *hosts*
pretending to be you.
How do I make it so this kind of transcript won't work unless you're
authenticating using SASL on port 587?
(connect not from my server to my server port 25)
SASL will authenticate the user, not the remote server. You won't fix
the EHLO/HELO issue with SASL. Be advised that if you plan to reject
*sender addresses* claiming to originate from your own domain, you might
break legitimate mails.
--
Bjørn
