On 10 May 2015, at 1:07, SH Development wrote:
We use a separate server for our spam filtering which sends filtered
mail to our postfix server. Lately, however, the spammers have been
bypassing our spam server by sending mail directly to the postfix
server.
I thought I had it set up right, but I am still able to telnet in from
an outside IP that is not in mynetworks and send a message through
without authenticating.
How can we only accept mail from both our auth users and only our spam
server’s IP address?
It would be easier to give a precise answer if you had followed the
recommendations of http://www.postfix.org/DEBUG_README.html#mail and
included details of your existing config.
Generally, you should not be handling authenticated user submission and
inbound transport for final delivery with the same smtpd configuration,
but rather have a port 587 submission server for users with a line in
master.cf something like this:
submission inet n - n - - smtpd
-o syslog_name=postfix/submit
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
With that in place, you can direct your users to use port 587 (the
submission standard port) with TLS encryption and authentication and not
need to write one Postfix config for two very different types of mail
(inbound for delivery and user initial submission of mail mostly headed
outbound.)
For your main.cf configuration, you may be able to clear out
smtpd_helo_restrictions and smtpd_recipient_restrctions entirely and
just set "smtpd_client_restrictions = permit_mynetworks,reject"
On the other hand, you may have more complex requirements but we can't
know that from the limited nature of your question.
