Hello there, and thanks so much for your help
I've got a web+mail server in the same machine. PHP's mail function is
disabled, but other 3rd party functions such as PHPMailer can use
sendmail to potentially send emails, as if I was invoking it from a shell
echo hello | sendmail m...@email.com
where email.com is an outside domain
I've been all morning browsing through postfix docs and googling around
finding an answer to prevent sending unauthenticated email to OUTSIDE
DESTINATIONS ONLY and pretty much all I found is removing
'permit_mynetworks' all over main.cf . However, and since I'm not an
expert at all, I'm still not sure that's the correct way to act. Could
anybody please confirm that, or offer a better suggestion?
Thanks so much in advance
Ignacio
This is my postconf -n output:
address_verify_negative_refresh_time = 60s
address_verify_sender_ttl = 15686s
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
compatibility_level = 2
default_extra_recipient_limit = 50
dovecot_destination_recipient_limit = 1
duplicate_filter_limit = 50
enable_original_recipient = no
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
in_flow_delay = ${stress?{3}:{1}}s
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 53687091200
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = s0.cibernetik.net, localhost, localhost.localdomain
myhostname = s0.cibernetik.net
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
non_smtpd_milters = inet:localhost:11332
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $sender_bcc_maps
$virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps
$relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps
$smtpd_client_restrictions $smtpd_sender_restrictions
$smtpd_recipient_restrictions
readme_directory = /usr/share/doc/postfix
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:localhost:10002
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps =
proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:localhost:10001
smtp_bind_address = 1.2.3.4
smtp_connect_timeout = ${stress?{10}:{30}}s
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 3s
smtp_dns_support_level = dnssec
smtp_extra_recipient_limit = 2
smtp_helo_timeout = ${stress?{10}:{60}}s
smtp_mail_timeout = ${stress?{10}:{60}}s
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 50
smtpd_client_restrictions = check_client_access
proxy:mysql:/etc/postfix/mysql-virtual_client.cf,
permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_error_sleep_time = ${stress?{1}:{2}}s
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtpd_hard_error_limit = ${stress?{1}:{10}}
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access,
permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
check_helo_access regexp:/etc/postfix/blacklist_helo,
reject_unknown_helo_hostname, permit
smtpd_milters = inet:localhost:11332
smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
smtpd_recipient_restrictions = check_policy_service
inet:127.0.0.1:10040, permit_mynetworks,
reject_unknown_recipient_domain, reject_unlisted_recipient,
check_recipient_access
proxy:mysql:/etc/postfix/mysql-verify_recipients.cf,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unauth_destination, check_recipient_access
proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_recipient_access
mysql:/etc/postfix/mysql-virtual_policy_greylist.cf,
check_policy_service unix:private/quota-status
smtpd_reject_footer = \c. For assistance, email postmaster from a
non-blocked server (i.e. gmail). Please provide information such as time
($localtime), client ($client_address) and server ($server_name).
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_soft_error_limit = ${stress?{2}:{5}}
smtpd_timeout = ${stress?{10}:{60}}s
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_medium_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
