On Mon, May 16, 2016 at 07:25:54PM +0300, Catalin Badirca wrote:
> I am breaking my head trying to solve the following thing. I have a
> Postfix server that accepts mail from $mydomain and delivers for
"From $mydomain" probably has nothing to do with it.
> standard $mydestination. I also have smtp_relay_redtriction to
smtpd_relay_restrictions, spelling DOES count, and be especially
aware of the "smtp_* != smtpd_" issue.
> allow sasl and reject other destinations than $mydomain. Standard
s/mydomain/mydestination/ , that is.
> until now. The thing is: if i telnet to the machine and try to send
> mail from a valid address to another valid address in $mydomain i
> can do it without beeing forced to authenticate. I can easily force
> reject instead of reject_unauth_destination and tale care of this
> but then no emails for me.
>
> Does anyone know a solution for this please ?
It's quite simple, actually.
Do not accept user submission on port 25. Remove all permit_*
restrictions from the global configuration. Don't advertise nor
accept AUTH on port 25.
Do not accept mail exchange on port 587.
main.cf:
...
smtpd_relay_restrictions = reject_unauth_destination
submission_relay_restrictions = permit_sasl_authenticated, reject
# smtpd_sasl_auth_enable is "no" by default, so omit that, but
# other smtpd_sasl_* settings can go here
...
master.cf:
...
submission inet n - n - - smtpd
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=$submission_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix/submission
...
(That example assumes that TLS is set up for smtpd.)
Yes, someone can still "telnet" to port 25 and send mail to your
addresses/users. That's what mail exchange is. Nothing is magic
about telnet, it is just one of many ways to make a TCP connection.
That's the same thing a MTA client will do when delivering mail on
behalf of their user to one of your addresses.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
