I'm not entirely sure how to formulate this question best in English, so please bear over with me.
In the past 6 months I've set up several Postfix 2.7.1 servers, which uses Dovecot as LDA and as SASL auth. One of them runs this domain, but they are still in testing. My highest concern is to setup an open relay by accident, so in the process I've used an online anti-spam tester several times: http://www.antispam-ufrj.pads.ufrj.br/test-relay.html It has always (and still does) reported the servers to reject relaying. I therefore thought it was only possible to relay mail through the servers if a valid username (an active email-address) and a password were given to the server (unless it's a systemuser logged in through ssh). That is how I would like the servers to behave. However, trying to learn a little I played around with telnet from my computer today, and was able to relay mail through the servers from the internet, without having to log in. It appears though, that it's only possible to relay mail if the server holds the address in the database, which suggest that the servers only are open to some limited backscatter, since the recipient address has to be known and given to Postfix. Some testing seems to support this. Even so, I would like Postfix to deny relaying in this case also, if at all possible. A telnet session goes like this, on either the server containing my_address or the backup MX: $ telnet X.X.X.X 25 Trying X.X.X.X... Connected to X.X.X.X. Escape character is '^]'. 220 machinename.domain.tld ESMTP Postfix EHLO fake-name.domain.tld 250-machinename.domain.tld 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN $ MAIL FROM:s...@dont-exists.tld 250 2.1.0 Ok $ RCPT TO:my_address@my_domain.tld 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> Test something . 250 2.0.0 Ok: queued as 3653E371BAA1 quit 221 2.0.0 Bye Connection closed by foreign host. Then grep'ing the query ID from the log gives 5 lines: Dec 6 23:30:40 machinename postfix/smtpd[3184]: 3653E371BAA1: client=unknown[my wan-IP] Dec 6 23:30:51 machinename postfix/cleanup[3557]: 3653E371BAA1: message-id=<> Dec 6 23:30:51 machinename postfix/qmgr[4628]: 3653E371BAA1: from=<SRS0=nFZn=KA=dont-exists.tld=spam@my_domin.tld>, size=379, nrcpt=1 (queue active) Dec 6 23:30:51 machinename postfix/pipe[3577]: 3653E371BAA1: to=<my_address@my_domain.tld>, relay=dovecot, delay=56, delays=56/0/0/0, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 6 23:30:51 machinename postfix/qmgr[4628]: 3653E371BAA1: removed And the mail is indeed delivered. In master.cf the submission-part looks like this: submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions= permit_sasl_authenticated reject -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions= reject_non_fqdn_recipient reject_unknown_recipient_domain permit_sasl_authenticated reject And postconf -n on the server my_address gives: alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes inet_interfaces = all maximal_queue_lifetime = 15 myhostname = machinename.my_domain.tld mynetworks = 127.0.0.0/8 recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination warn_if_reject reject_invalid_helo_hostname warn_if_reject reject_non_fqdn_helo_hostname warn_if_reject reject_non_fqdn_sender warn_if_reject reject_non_fqdn_recipient warn_if_reject reject_unknown_sender_domain warn_if_reject reject_unknown_recipient_domain warn_if_reject reject_rbl_client truncate.gbudb.net check_policy_service unix:private/spfcheck permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 5000 virtual_transport = dovecot virtual_uid_maps = static:5000 Any pointers / help will be greatly appreciated and thanks for reading. Cheers, Titanus
