I believe what happened is the testing software they used tried to send an email out using an empty domain and Postfix accepted it. I did it manually to verify from the commandline MAIL FROM: <> RCPT TO: an email address DATA Blablabla . Postfix queued up this email and sent it out.
Regards SI From: Noel Jones Sent: Wednesday, May 15, 2019 12:26 PM To: postfix-users@postfix.org Subject: Re: Increasing Internal security On 5/15/2019 11:24 AM, Peter Fraser wrote: > Hi All > > We had an auditor to an internal pentest for our network. The result > for our Postfix box was (My Words) Although your SMTP server > prevents relay in some circumstances, it still allows email from an > empty domain. I am aware that the empty domain <> is needed for > bounce messages. Is there a way to prevent an initial email out form > an empty domain but still allow Postfix to use it internally for > bounce messages? > > Thanks and Regards > > SI > No. This sounds as if they are complaining because you accept bounces - "from an empty domain". This has nothing to do with open relay or security, and is required for proper operation of any mail system. In case I'm misunderstanding, it might be better if you explain more fully exactly how this particular test is conducted, and what they expect to happen. Postfix logs of the "failed" test, or an SMTP recording would be helpful. -- Noel Jones
