Wietse Venema wrote
> Wietse Venema:
>> Postfix User:
>> > smtpd_relay_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,
>> > reject_unauth_destination
>>
>> This will be an open relay if all your SMTP mail is logged with the
>> same client IP address, i.e. your SMTP mail comes from some box
>> that is in mynetworks, and Postfix never sees the original SMTP
>> client IP address.
>
> Meh, that wasn't the problem.
Can you please be more specific about this problem? Do you think this will
be an
open relay because I removed the check_sender_access restriction? I tested
this
config, and it seems like it is an open relay for authenticated users, here
is
the result :
Authenticated sender
From local address
To any
Action OK
From remote address
To remote address
Action OK ( this should be REJECT if authenticated user is not the
same with the from address )
From remote address
To local address
Action OK
Not authenticated sender
From remote address
To local address
Action OK
From remote address
To remote address
Action REJECT
To fix the open relay problem for authenticated sender address, I added
check_sender_access parameter, but now it is not possible to send emails
from
remote to local addresses, I get 554 5.7.1 <remote address>: Sender address
rejected: Access denied. This makes sense, because remote sender is not
permit_mynetworks : in mynetworks
permit_sasl_authenticated : authenticated
reject_unauth_destination : rejected, but not permited either
check_sender_access : in allowed senders lookup table
postconf -n | grep smtpd_relay_restrictions
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, check_sender_access
mysql:/etc/postfix/sqlconf/sender_access.cf
sender_access.cf
query = SELECT if(count(*) = 0, "REJECT", "OK") FROM users
u WHERE u.username='%u' AND u.domain='%d' AND u.active='1';
To fix the 554 problem, I added permit_auth_destination restriction, and now
it
is possible to receive emails from remote senders. The open relay problem
for
authenticated users from remote to remote address is still there, because
check_sender_access is after permit_sasl_authenticated
postconf -n | grep smtpd_relay_restrictions
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
permit_auth_destination, check_sender_access
/etc/postfix/sqlconf/sender_access.cf
Authenticated sender
From local address
To any
Action OK
From remote address
To remote address
Action OK ( this should be REJECT if authenticated user is not the
same with the from address )
From remote address
To local address
Action OK
Not authenticated sender
From any
To local address
Action OK
From remote address
To remote address
Action REJECT
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88390.html
Sent from the Postfix Users mailing list archive at Nabble.com.
