Here is the postconf -n output: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 30720000 mydestination = $myhostname, localhost, localhost.localdomain mydomain = mydomain.com myhostname = mail.mydomain.com mynetworks = 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000
> On May 10, 2015, at 12:30 PM, Bill Cole > <postfixlists-070...@billmail.scconsult.com> wrote: > > On 10 May 2015, at 1:07, SH Development wrote: > >> We use a separate server for our spam filtering which sends filtered mail to >> our postfix server. Lately, however, the spammers have been bypassing our >> spam server by sending mail directly to the postfix server. >> >> I thought I had it set up right, but I am still able to telnet in from an >> outside IP that is not in mynetworks and send a message through without >> authenticating. >> >> How can we only accept mail from both our auth users and only our spam >> server’s IP address? > > It would be easier to give a precise answer if you had followed the > recommendations of http://www.postfix.org/DEBUG_README.html#mail and included > details of your existing config. > > Generally, you should not be handling authenticated user submission and > inbound transport for final delivery with the same smtpd configuration, but > rather have a port 587 submission server for users with a line in master.cf > something like this: > > submission inet n - n - - smtpd > -o syslog_name=postfix/submit > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > > With that in place, you can direct your users to use port 587 (the submission > standard port) with TLS encryption and authentication and not need to write > one Postfix config for two very different types of mail (inbound for delivery > and user initial submission of mail mostly headed outbound.) > > For your main.cf configuration, you may be able to clear out > smtpd_helo_restrictions and smtpd_recipient_restrctions entirely and just set > "smtpd_client_restrictions = permit_mynetworks,reject" > > On the other hand, you may have more complex requirements but we can't know > that from the limited nature of your question.
