I installed ispconfig under the perfect setup instructions but my SMTP server is not authenticating outbound e-mail against user credentials, only against domain name. Can you tell me where I can change this setting in ISPConfig so that outbound messages require user/passwd to be relayed?

SMTP Authentication is always enabled when you follow the perfect setup guide. Please compare your postfix setup with the perfect setup instructions.

Be aware that SMTP authentication is never needed for any local domain names, otherwise your server wont be able to receive any email for local mailboxes.

So you're saying that in the perfect setup it's supposed to allow anyone using a pop email client such as entourage or outlook to be able to claim to have an email address that resides within my domain and send outbound mail, even if there is no such user or address in the ispconfig list? This is what is happening.

that doesn't seem right...

In MS Exchange server, I am able to configure the server such that the username and password are required from the email client in order to send outbound mail. How can I do that in the perfect setup/ispconfig?

No, I dont have said this, I told you the opposite. I said that you must authenticate with username and password and that the requirement to authenticate is configured in the perfect setup.

Be aware that SMTP authentication is never needed for any local domain names, otherwise your server wont be able to receive any email for local mailboxes.

But does the above mean that local domain users, or those impersonating local domain users, do not have to authenticate?

But does the above mean that local domain users, or those impersonating local domain users, do not have to authenticate?

No. The above statement is about receiving emails, not sending. If you send a email to a local account, there is never a authentication needed as otherwise your mailserver wont be able to receive emails at all. Thats the case for any linux and windows mailserver in general.

But some poeple mix these things up and try to do a realay test against a local domain, which is useless.

gotcha - sorry for the confusion.

my users are able to send email without turning authentication on in their mail clients. I want to force their user ids and passwords to be required. how can I do this?

I followed the "perfect setup" instructions...

Anyone? Essentially, I can send mail by configuring my e-mail client with a made up e-mail address that uses my valid domain name. No password required.

And yes, I'm testing from outside of my local network...

Here's my main.cf file:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.8/samples
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

mydestination = /etc/postfix/local-host-names
virtual_maps = hash:/etc/postfix/virtusertable

and here are the results when I connect to the SMTP port via SSH on my local machine:

220 xxx.domain.net ESMTP Postfix
ehlo localhost
250-xxx.domain.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
exit

I really don't want to be a spam source. Can anybody out there help?

What is defined as mynetworks?
more /etc/postfix/main.cf | grep mynetworks

looks almost the same as mine, which does require outgoing auth from clients. As for the second part, that just tells you tls is working.

What is defined as mynetworks?
more /etc/postfix/main.cf | grep mynetworks

Is this supposed to be defined in the same main.cf document? If so, I'm missing that piece. (I posted the entire contents of the main.cf file above)

How do I specify mynetworks to allow the machines on my network (192.168.1.x) to allow SMTP relay?

Thanks!

mynetworks = 127.0.0.0/8 192.168.1.0/24

I didn't include the second part on mine b/c I wanted everyone to used outgoing auth. even my computers. Might be a good idea to leave off for testing then add after you know relaying is blocked

Good idea. So what I did was change:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination


to

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destinatio n


to force outbound authentication for all e-mail clients. So far, so good.

Thanks for your help!:)

be sure to allow 127.0.0.0/8 or else system emails such as alerts will not be sent.

Good point! My main.cf now looks like this:


queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.8/samples
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destinatio n
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

mynetworks_style = subnet
# mynetworks = 127.0.0.0/8 192.168.1.0/24
mydestination = /etc/postfix/local-host-names
virtual_maps = hash:/etc/postfix/virtusertable

Your mynetworks setting is commented out. If you want that it is used by postfix, you will have to remove the "#" in front of the line and restart postfix.

Shouldn't the following have the same effect?

mynetworks_style = subnet

It is always better to specify the exact IP addresses and ranges to be sure that the settings are correct instead of hoping thet postfix guessses the settings correctly by reading your network configuration. Of yourse you will ahve to comment out the mynetworks_style line.