Thank you very much for your time and sorry for the long response time. I've tried your suggestion and the issue remains. Someone could telnet into postfix and would be allowed to send mails from a valid address to another valid address in mydomain without authentication.
Is there any way I can stop potential spam for mydomain ? Thabk you ! Sent from my iPhone > On 16 May 2016, at 20:21, /dev/rob0 <r...@gmx.co.uk> wrote: > >> On Mon, May 16, 2016 at 07:25:54PM +0300, Catalin Badirca wrote: >> I am breaking my head trying to solve the following thing. I have a >> Postfix server that accepts mail from $mydomain and delivers for > > "From $mydomain" probably has nothing to do with it. > >> standard $mydestination. I also have smtp_relay_redtriction to > > smtpd_relay_restrictions, spelling DOES count, and be especially > aware of the "smtp_* != smtpd_" issue. > >> allow sasl and reject other destinations than $mydomain. Standard > > s/mydomain/mydestination/ , that is. > >> until now. The thing is: if i telnet to the machine and try to send >> mail from a valid address to another valid address in $mydomain i >> can do it without beeing forced to authenticate. I can easily force >> reject instead of reject_unauth_destination and tale care of this >> but then no emails for me. >> >> Does anyone know a solution for this please ? > > It's quite simple, actually. > > Do not accept user submission on port 25. Remove all permit_* > restrictions from the global configuration. Don't advertise nor > accept AUTH on port 25. > > Do not accept mail exchange on port 587. > > main.cf: > ... > smtpd_relay_restrictions = reject_unauth_destination > submission_relay_restrictions = permit_sasl_authenticated, reject > # smtpd_sasl_auth_enable is "no" by default, so omit that, but > # other smtpd_sasl_* settings can go here > ... > > master.cf: > ... > submission inet n - n - - smtpd > -o smtpd_tls_auth_only=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_recipient_restrictions= > -o smtpd_relay_restrictions=$submission_relay_restrictions > -o milter_macro_daemon_name=ORIGINATING > -o syslog_name=postfix/submission > ... > > (That example assumes that TLS is set up for smtpd.) > > Yes, someone can still "telnet" to port 25 and send mail to your > addresses/users. That's what mail exchange is. Nothing is magic > about telnet, it is just one of many ways to make a TCP connection. > That's the same thing a MTA client will do when delivering mail on > behalf of their user to one of your addresses. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
