Please do not top-post your replies. Thank you. On Mon, Mar 05, 2012 at 03:23:51PM +0530, santosh malavade wrote: > On Tue, Feb 28, 2012 at 8:27 PM, Ansgar Wiechers > <li...@planetcobalt.net>wrote: > > On 2012-02-28 santosh malavade wrote: > > > In my mail server, i have enabled sender access using the > > > following parameter. > > > > > > smtpd_recipient_restrictions = check_sender_access > > > hash:/etc/postfix/sender_access, check_recipient_access > > > hash:/etc/postfix/sender_access reject > > > > > > This was rejecting the mail with the 554 Recipient address > > > rejected: Access denied > > > > That's because you added an explicit "reject" at the end of > > smtpd_recipient_restrictions. Remove it and the problem will > > go away.
I see that you did not follow this advice. > > > Now, I have enabled null sender using <> in file > > > /etc/postfix/sender_access, based on the information > > > available in http://www.postfix.org/access.5.html ( refer > > > Note: in section EMAIL ADDRESS PATTERNS ) > > > > That is unnecessary. Postfix' default configuration is safe. > > The default implicit "permit" in smtpd_recipient_restrictions > > does not make your server an open relay. It just means that > > it will accept mail for its $mydestination domains. > > > > > Now, my concern is my mail server should not be an OPEN RELAY. And by ignoring the advice, you have partially created the exact situation you hoped to avoid. > > > I tried checking it on http://www.checkor.com/ Although, the > > > results are negative, the site has the following disclaimer. > > > > > > * We do our best to check to see if you mailserver is an open > > > relay. Even if your mail server tests negative on this site, > > > it may still not be 100% secure > > > > > > Pls. suggest. > > > > Please post the output of "postconf -n". In this case the disclaimer is right. > Here is my postconf output : > > mailgate:~ # postconf -n > canonical_maps = hash:/etc/postfix/canonical What is your purpose in this? > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/lib/postfix > debug_peer_level = 2 > debug_peer_list = 173.225.251.221 > disable_dns_lookups = no > header_checks = regexp:/etc/postfix/header_checks > home_mailbox = Maildir/ > inet_interfaces = all > mail_owner = postfix > mail_spool_directory = /var/mail > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > masquerade_classes = envelope_sender, header_sender, header_recipient > masquerade_exceptions = root > message_size_limit = 8703181 > mydestination = $myhostname, localhost.$mydomain > myhostname = mailgate.asianpaints.com > mynetworks = 127.0.0.1/8 , 192.168.40.0/24 ,172.25.10.94/32 > newaliases_path = /usr/sbin/sendmail > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/packages/postfix/README_FILES > recipient_canonical_maps = hash:/etc/postfix/recipient_canonical What is your purpose in this? > relocated_maps = hash:/etc/postfix/relocated > sample_directory = /usr/share/doc/packages/postfix/samples > sender_canonical_maps = hash:/etc/postfix/sender_canonical > sendmail_path = /usr/sbin/sendmail > setgid_group = maildrop > smtpd_helo_required = yes > smtpd_recipient_restrictions = check_sender_access > hash:/etc/postfix/sender_access, check_recipient_access > hash:/etc/postfix/sender_access reject What is your purpose in this? ANY email address or domain or localpart listed in your "sender_access" file, whether used as sender OR recipient, is permitted to relay. ALL other mail is rejected. Probably 99% of spam is sent with forged sender addresses, meaning addresses not directly controlled by the spammer. If a spammer hit your server using YOUR addresses, or the null sender address, said spammer is allowed to relay. You were already told that you are WRONG in doing this. Change it NOW. Stop Postfix until you get this right. Consider the results if a spammer is reading this list: he knows how to use you as an open relay: null sender address or possibly variations on senders in domains which might be listed in that file. You are now easily exploitable. Act IMMEDIATELY. Simply removing smtpd_recipient_restrictions is enough to make it safe. Define the goal better, or else we will not be able to help you reach it. Perhaps starting here would help: http://www.postfix.org/BASIC_CONFIGURATION_README.html > strict_rfc821_envelopes = yes > transport_maps = hash:/etc/postfix/transport What is your purpose in this? > virtual_maps = hash:/etc/postfix/virtual I'm surprised that "postconf -n" still lists a this parameter, deprecated many years ago. (2.9 postconf would list it, but it's similarly surprising that a user of 2.9 would use virtual_maps.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
