On Fri, Mar 08, 2019 at 08:00:47PM +0300, sse450 wrote:
> Hoping to solve this problem, I wanted to block all the sender emails
> not defined in sender_relay table. I will do what you advised here. But,
> I know that this will also block apache sender eventually. In this case,
> I will have another problem in my lap. Contact forms on my websites and
> reporting emails generated by the server will stop working.
>
> I don't know what to do. I would appreciate any advise from you.
Perhaps a classic case of "XY Problem". Compromised PHP scripts
and the like would typically inject email via local submission, and
it is easier to disallow all local submission by the web server
user (wwwdata or similar) than to make ad-hoc work-arounds in how
you forward to your relay.
Something along the lines of:
authorized_submit_users = !wwwdata, static:all
And of course you need to check your logs to see how the unauthorized
email messages enter the Postfix queue. It it via "pickup" (local
submission) or SMTP? In the latter case you could also deny email
from your own IP addresses, including the loopback address.
Since your problem is not trying to squeeze outbound email out
through an MSA, but is instead an issue of unauthorized submission,
(or perhaps a compromised SASL account, ...). The solution is to
stop it entering the queue, not ad-hoc kludges in the output
processing.
--
Viktor.
