> On 8 Oct 2018, at 18:23, Ignacio Garcia <y...@ignasi.com> wrote: > > El lun., 8 oct. 2018 a las 16:51, Noel Jones (<njo...@megan.vbhcs.org > <mailto:njo...@megan.vbhcs.org>>) escribió: > On 10/8/2018 6:17 AM, Ignacio Garcia wrote: > > Hi there! > > > > I've been reading the documentacion as well as googling around but > > I've been unable to figure this out: > > > > I have several hosting servers. I'd like all web sites hosted in > > those servers not to be able to send outbound mail without > > authenticating first. Same thing for shell users. What I'm really > > trying to achieve is that everybody (local accounts and php scripts > > running under www-data) will be forced to use the submission service > > (smtp-auth, tls activated) for all outbound emails, keeping > > non-authenticated connections just for internal emails (usually from > > services to the system administrator) > > > > Any guru willing to point me into the right direction? TIA!! > > > > Ignacio > > http://www.postfix.org/postconf.5.html#authorized_submit_users > <http://www.postfix.org/postconf.5.html#authorized_submit_users> > > Probably something like > > # main.cf <http://main.cf/> > authorized_submit_users = root, cron > (add any other service owners that need to send mail) > > and also remove "permit_mynetworks" from > smtpd_recipient_restrictions and from smtpd_relay_restrictions. > > > > > -- Noel Jones > > Noel, thank you so much. You saved my day! This is more restrictive than I > wanted but it'll do. Initial testings show it works ok. Now I have to find > out all service accounts that send email periodically > > For those of you who might be running ispconfig and want to restrict the use > of sendmail to created email accounts in ispconfig and service users only: > > authorized_submit_users = root, cron, serviceuser1, serviceuser2, ... , > proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf > <http://mysql-virtual_mailboxes.cf/> > > Again, thanks so much > > Ignacio
Κeep in mind that depending on your setup using authorized_submit_users maybe doesn't allow to send system messages, for example if you use "quota warning" with dovecot. If you only do PHP hosting try to disable mail() from php.ini and use a firewall to not allow direct outgoing connections to port 25 for users but only for root, postfix, and maybe some other system accounts. This will take care most of spam sent from hacked hosting accounts.
