> On Jul 25, 2018, at 11:24 AM, Software Information
> <softwareinfor...@gmail.com> wrote:
>
> Hi. Thanks for replying. Let's say my internal domain is test.com. I can
> telnet to the server and send an email as u...@example.com out to anyone on
> the internet. They have a problem with that. So I thought maybe I could fix
> this by configuring the server to only accept outgoing mail from
> us...@test.com. Not sure if that is best of there is a better way.
That's not what an "open relay" is. What you have is, arguably, a lack
of "egress filtering", where you're not checking that messages leaving
your network claim to originate from your network.
Whether such "egress filtering" is the right thing to do depends on what
use-cases you support for email.
1. Do you have any externally reachable email lists that expand
to a recipient list that includes external addresses? Say a
list for a board of directors, that includes outside directors?
2. Do any of your users automatically and legitimately forward some
of their incoming mail to an external mailbox?
3. Do any of your users "resend" messages, retaining the original
message structure, adding only Resent-{From,Date,Message-Id}
headers?
In cases 1 and 2, you'd expect to see some legitimate outbound email
that has an external "From:" address and an external envelope sender
address. In case 3, you'd expect to see some legitimate outbound
email that has an external "From:" (header) address.
It is not too difficult to configure Postfix to restrict outbound
email to internal envelope sender addresses, which will work,
provided you don't have cases 1, 2 or similar.
It is considerably more difficult to restrict external email
delivery based on the message "From:" header. What should
happen with a multi-recipient message with some internal
and some external recipients when it is discovered that
the "From:" header is not internal? You'd need a complex
content filter or milter to implement policies in this
space.
The auditors were following a checklist, their job is done
once they've raised every potential issue. Now you need to
decide which issues require changes, and which issues are
acceptable features of your environment.
If you do decide to filter outbound email by envelope sender,
you can add:
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${indexed}relay-senders,
reject_unauth_destination
relay-senders:
example.com permit_mynetworks, permit_sasl_authenticated
example.net permit_mynetworks, permit_sasl_authenticated
--
--
Viktor.
