On 3/12/2013 1:57 PM, Noel Jones wrote: > On 3/12/2013 1:35 PM, Alex wrote: >> Hi, >> >>>> I have a really old system with an early version of postfix on it, but >>>> I'm not sure the version really matters for my problem. I'm attempting >>>> to use a pop-before-smtp hash as a way of providing authentication >>>> prior to being able to use the server to send mail. However, it >>>> doesn't appear to be working. I can telnet directly to port 25 from a >>>> remote host and send mail to a local recipient on that server without >>>> having authenticated through the pop-before-smtp system first. >>> >>> This is normal operation for a general-purpose mail server. Mail to >>> local users can be received from anywhere (subject to spam >>> controls). Only authorized users can relay to a third-party >>> destinations. >>> >>> This is a typical setup for an internet-facing mail server. >> >> It's somewhat of an internal server, despite being connected to the >> Internet. No one was ever supposed to connect to it directly, and >> trying to convert everyone to SMTP Auth is going to be a challenge. > > The config for an internal server is pretty simple, something like > > smtpd_recipient_restrictions = > check_client_access hash:/etc/postfix/allowed_clients
Just to be very clear, the allowed_clients map is a list of IP addresses or client hostnames (not email addresses) # allowed_clients 192.168.40.15 OK **Note**: if the list of allowed clients will contain any mail servers not under your control, eg. hotmail or google, a little different config is needed so you're not an open relay for those sites. Better, more secure: smpd_recipient_restrictions = # next line optional permit_mynetworks check_client_access hash:/etc/postfix/pop-b-smtp reject_unauth_destination check_client_access hash:/etc/postfix/allowed_clients reject -- Noel Jones > check_client_access hash:/etc/postfix/pop-b-smtp > # next line optional > permit_mynetworks > # finally, reject anything not explicitly allowed > reject > >> >>>> I'm working on >>>> upgrading the server to use SMTP Auth, and only allowing port 25 from >>>> trusted relays, but it's a long process. > > Don't bother until you've upgraded postfix. Getting AUTH (and TLS, > which you'll need with AUTH) to work on ancient postfix isn't always > easy, and you won't get much help here. And AUTH with dovecot wasn't > supported until postfix 2.something. > > > > -- Noel Jones >
