Postfix I assumed got it’s valid users from the same place Dovecot is getting it, the mySQL database.
In the postconf -n I posted, it may not have shown the mynetworks as I have gone from trying different things to leaving it at default. It was probably at default when I generated it. I have tried making mynetworks local host only which results in client unauthorized errors when receiving mail. Any change I’ve made to mynetworks has resulted in incoming mail being rejected. I’m sure I’m missing something here. All incoming mail from the outside world flows through Xeams. All outgoing mail from our users goes through Dovecot and Postfix. On the repeated “reject”, are you saying that this is unnecessary? My understanding was in setting it that way was that directives are matched from the beginning of the line and by having a final “reject” it would catch any anomalies that might make it through the first tests. Not an expert by any means just following some advice I probably received at one time. Jeff > On Jan 20, 2017, at 9:05 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: > > On 1/19/2017 11:49 PM, SH Development wrote: >> I have a server running Xeams for spam filtering, and another server running >> Postfix 2.6.6. Both servers are on the same network behind a firewall. >> Haven’t had any problems until recently when Xeams tech support pointed out >> that my Xeams server is showing as an open relay, but my Postfix server is >> not. They are telling me it’s because my Postfix server config is broken by >> not rejecting invalid user addresses passed through from Xeams. >> >> Sure enough, if I telnet from any machine on the same network as the Postfix >> server, it accepts email to any user, real or not. However, from any other >> machine outside that network, it rejects invalid addresses it as it should. >> I have tried some variations with the mynetworks but that seems to break >> other things. >> >> I need to close this hole up. I don’t think it’s been abused as of yet, but >> it’s only a matter of time. >> > > You'll need describe your mail flow and the problem in more detail, > including logs of the unwanted behavior. > > Does postfix have a list of valid user? > > I don't see where you've defined mynetworks. > > Does all internet mail flow through your Xeams server? Does postfix > see that mail as coming from the local network (rather than from the > original IP)? > >>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >>> reject_unauth_destination reject > > The final "reject" here and repeated in the other > smtpd_*_restrictions prevents postfix from accepting *any* mail not > authenticated or not from mynetworks. > > > > > -- Noel Jones > >> Attached is the postconf -n output. >> >> alias_database = hash:/etc/aliases >> alias_maps = hash:/etc/aliases >> broken_sasl_auth_clients = yes >> command_directory = /usr/sbin >> config_directory = /etc/postfix >> daemon_directory = /usr/libexec/postfix >> data_directory = /var/lib/postfix >> debug_peer_level = 2 >> html_directory = no >> inet_interfaces = all >> inet_protocols = ipv4 >> mail_owner = postfix >> mailq_path = /usr/bin/mailq.postfix >> manpage_directory = /usr/share/man >> message_size_limit = 30720000 >> mydestination = $myhostname, localhost, localhost.localdomain >> mydomain = starionhost.net >> myhostname = mail.starionhost.net >> newaliases_path = /usr/bin/newaliases.postfix >> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps >> $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains >> $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps >> $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks >> $virtual_mailbox_limit_maps >> queue_directory = /var/spool/postfix >> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES >> sample_directory = /usr/share/doc/postfix-2.6.6/samples >> sendmail_path = /usr/sbin/sendmail.postfix >> setgid_group = postdrop >> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination reject >> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated >> reject_unauth_destination reject >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_authenticated_header = yes >> smtpd_sasl_path = private/auth >> smtpd_sasl_type = dovecot >> smtpd_tls_CAfile = /etc/pki/tls/cert.pem >> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem >> smtpd_use_tls = yes >> unknown_local_recipient_reject_code = 550 >> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, >> mysql:/etc/postfix/mysql-virtual_email2email.cf >> virtual_gid_maps = static:5000 >> virtual_mailbox_base = /home/vmail >> virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf >> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf >> virtual_transport = dovecot >> virtual_uid_maps = static:5000 >> >> Jeff >> >>
