On 1/19/2017 11:49 PM, SH Development wrote: > I have a server running Xeams for spam filtering, and another server running > Postfix 2.6.6. Both servers are on the same network behind a firewall. > Haven’t had any problems until recently when Xeams tech support pointed out > that my Xeams server is showing as an open relay, but my Postfix server is > not. They are telling me it’s because my Postfix server config is broken by > not rejecting invalid user addresses passed through from Xeams. > > Sure enough, if I telnet from any machine on the same network as the Postfix > server, it accepts email to any user, real or not. However, from any other > machine outside that network, it rejects invalid addresses it as it should. > I have tried some variations with the mynetworks but that seems to break > other things. > > I need to close this hole up. I don’t think it’s been abused as of yet, but > it’s only a matter of time. >
You'll need describe your mail flow and the problem in more detail, including logs of the unwanted behavior. Does postfix have a list of valid user? I don't see where you've defined mynetworks. Does all internet mail flow through your Xeams server? Does postfix see that mail as coming from the local network (rather than from the original IP)? >> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination reject The final "reject" here and repeated in the other smtpd_*_restrictions prevents postfix from accepting *any* mail not authenticated or not from mynetworks. -- Noel Jones > Attached is the postconf -n output. > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > broken_sasl_auth_clients = yes > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > html_directory = no > inet_interfaces = all > inet_protocols = ipv4 > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 30720000 > mydestination = $myhostname, localhost, localhost.localdomain > mydomain = starionhost.net > myhostname = mail.starionhost.net > newaliases_path = /usr/bin/newaliases.postfix > proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps > $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains > $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps > $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks > $virtual_mailbox_limit_maps > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated > reject_unauth_destination reject > smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated > reject_unauth_destination reject > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_tls_CAfile = /etc/pki/tls/cert.pem > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem > smtpd_use_tls = yes > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, > mysql:/etc/postfix/mysql-virtual_email2email.cf > virtual_gid_maps = static:5000 > virtual_mailbox_base = /home/vmail > virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf > virtual_transport = dovecot > virtual_uid_maps = static:5000 > > Jeff > >
