On 6/3/19 10:31 AM, Matus UHLAR - fantomas wrote: > >>> For the moment we have a rule that only allow mail from exchange server >>> adres to postfix (relay server), >> >> show us. >> >> # mynetworks = xxx.xxx.xxx.xxx/32, 127.0.0.1/32 >> smtpd_recipient_restrictions = >> permit_mynetworks,reject_unauth_destination > > this should be fine > > >> # thing is it is secure because postfix accept only mail from exchange >> # server, but when you get access to the exchange server, or spoof >> the ip >> # adress of the exchange server you can send mails. How can i block >> this? > > if either your postfix or your exchange server is in network where > spoofing > can happen, move them away. > >>> So I know I can use these but we are not used of working with this. >>> >>> Can we setup another way of authentication? >>
While I agree entirely with Matus that if untrusted people can access your Exchange server, or steal its IP address on your network, you have larger issues that postfix will not be fixing, I will point out that could improve things a bit with careful use of TLS. See http://www.postfix.org/TLS_README.html#server_vrfy_client for details. You should be able to configure things to allow access only from the Exchange server and the certificate you configure on it. That is until those untrusted people rummage around and steal the cert off of the Exchange server. --Jon Radel Network Infrastructure Lead Folio Financial, Inc. 8180 Greensboro Drive, 8th Floor McLean, VA 22102 (T) 703-245-4844 (M) 703-861-5128 (E) rad...@foliofinancial.com www.folioinvesting.com Please do not use e-mail to transmit orders for securities or for other time-sensitive messages. Securities products and services are offered through Folio Investments, Inc. and are subject to investment risk, including the possible loss of principal. Member FINRA/SIPC. Folio Investments, Inc. and First Affirmative Financial Network, LLC are affiliates. This e-mail message and any files transmitted with it are confidential, intended only for the person(s) to whom this e-mail message is addressed. If you have received this e-mail message in error, please notify the sender immediately by telephone or e-mail and destroy the original message without making a copy. This e-mail is subject to review, retrieval, archiving and disclosure by Folio to third parties.
