On Fri, Feb 12, 2021 at 02:54:29PM +1000, Mark Constable wrote:
> Hi, I have a fairly typical postfix install with port 465 requiring
> authentication. I'd like to allow one sender (email address or IP) to
> inject email on port 465 without providing login/password authentication.
Permitting email relaying by sender address is not safe, the
address is trivially forged, and if you do this, your system
may with some probability be eventually abused by spammers,
ruining its IP reputation. DO NOT enable relay control by
sender address.
> Is this somehow possible?
Permitting relaying by IP (known to be under the exclusive control of a
trusted peer) is normal (default) behaviour in Postfix. What is
"somehow possible" (not default behaviour) is limiting access just to
SASL authenticated users.
The port number and TLS encryption are irrelevant here, all that
matters, is that "restrictions" you configure for the SMTP service
in question.
The stock Postfix master.cf file contains (commented out):
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
If yours uncommented, but otherwise similar, it may be sufficient to
change:
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
to:
-o smtpd_relay_restrictions=$mua_relay_restrictions
and then in main.cf:
cidr = cidr:${config_directory}/
mua_relay_restrictions =
permit_sasl_authenticated,
check_client_access ${cidr}mua-client.cidr
reject
and in mua-client.cidr:
192.0.2.1/32 OK
--
Viktor.
