Wow. you learn as you go. Thanks very much for the insight. I will
experiment to see what works best for us.
On Wed, Jul 25, 2018 at 10:44 AM, Viktor Dukhovni <
postfix-us...@dukhovni.org> wrote:
>
>
> > On Jul 25, 2018, at 11:24 AM, Software Information <
> softwareinfor...@gmail.com> wrote:
> >
> > Hi. Thanks for replying. Let's say my internal domain is test.com. I
> can telnet to the server and send an email as u...@example.com out to
> anyone on the internet. They have a problem with that. So I thought maybe I
> could fix this by configuring the server to only accept outgoing mail from
> us...@test.com. Not sure if that is best of there is a better way.
>
> That's not what an "open relay" is. What you have is, arguably, a lack
> of "egress filtering", where you're not checking that messages leaving
> your network claim to originate from your network.
>
> Whether such "egress filtering" is the right thing to do depends on what
> use-cases you support for email.
>
> 1. Do you have any externally reachable email lists that expand
> to a recipient list that includes external addresses? Say a
> list for a board of directors, that includes outside directors?
>
> 2. Do any of your users automatically and legitimately forward some
> of their incoming mail to an external mailbox?
>
> 3. Do any of your users "resend" messages, retaining the original
> message structure, adding only Resent-{From,Date,Message-Id}
> headers?
>
> In cases 1 and 2, you'd expect to see some legitimate outbound email
> that has an external "From:" address and an external envelope sender
> address. In case 3, you'd expect to see some legitimate outbound
> email that has an external "From:" (header) address.
>
> It is not too difficult to configure Postfix to restrict outbound
> email to internal envelope sender addresses, which will work,
> provided you don't have cases 1, 2 or similar.
>
> It is considerably more difficult to restrict external email
> delivery based on the message "From:" header. What should
> happen with a multi-recipient message with some internal
> and some external recipients when it is discovered that
> the "From:" header is not internal? You'd need a complex
> content filter or milter to implement policies in this
> space.
>
> The auditors were following a checklist, their job is done
> once they've raised every potential issue. Now you need to
> decide which issues require changes, and which issues are
> acceptable features of your environment.
>
> If you do decide to filter outbound email by envelope sender,
> you can add:
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_sender_restrictions =
> check_sender_access ${indexed}relay-senders,
> reject_unauth_destination
>
> relay-senders:
> example.com permit_mynetworks, permit_sasl_authenticated
> example.net permit_mynetworks, permit_sasl_authenticated
>
> --
> --
> Viktor.
>
>
