They are in are in the same network only admin's can access the network, the users are in another vlan and can's ssh or rdp to the server. But I just wan't to make sure everything is secure and covered.
That is the reason for the question. I thought authentication was possible without creating mailboxes on the server. Thanks for your advice. -----Original Message----- From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On Behalf Of Matus UHLAR - fantomas Sent: 03 June 2019 16:32 To: postfix-users@postfix.org Subject: Re: smtp relay server security On 03.06.19 14:19, De Petter Mattheas wrote: >Answers in after the # indenting the original answer usually giver much more readable result. outlook does support indenting... >On 03.06.19 13:02, De Petter Mattheas wrote: >>How can we secure are postfix smtp relay server? > >complicated question... > >>For the moment we have a rule that only allow mail from exchange >>server adres to postfix (relay server), > >show us. > ># mynetworks = xxx.xxx.xxx.xxx/32, 127.0.0.1/32 >smtpd_recipient_restrictions = >permit_mynetworks,reject_unauth_destination this should be fine >>but when somebody spoofs this address mail gets accept and you can send your >>mail to anybody as anybody. > >your rule apparently has logical error. ># thing is it is secure because postfix accept only mail from exchange ># server, but when you get access to the exchange server, or spoof the >ip # adress of the exchange server you can send mails. How can i block this? if either your postfix or your exchange server is in network where spoofing can happen, move them away. >>So I know I can use these but we are not used of working with this. >> >>Can we setup another way of authentication? > >it's hard to answer without knowing the real problem. >You apparently don't require authentication and what you require is not what >you want to achieve. > ># see answer above > >>I would not like to setup users/mailboxes on the relay server, all are >>users are on the exchange server (AD), and postfix is are simple relay >>server we would like to secure. >#so I can't setup any security when we do not created mailboxes on the relay >server? >Can't the authentication take place with the user accounts of the OS? it can, and usually does. But you said you don't want to set up mailboxes on the relay server. In fact you can set up one account and use it for relaying mail through postfix. but the option I gave you above is better. If eomeone can fake your mailserver's address, you should move it elsewhere. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ************************************************************ Any reaction to this e-mail or any other mail, including any files transmitted therewith to sender's e-mail address(es) shall be dealt with not as private, but as business communication(s) and shall be registered as such. ************************************************************
