Hi guys,

I thought that I've configurated my server ok till I test it from my home. My idea is:

- Local users (10.0.0.0/8) don't need to autenticate to send mail;
- External users need to autenticate to send mail.

I made the configurations, but haven't oportunity to test yet. Right now I've did the follow tests:

- Connect to the server from my home and mail to external domains without autenticate. The server reply "Relay access denied".
- Then I connected to the server and try to send mail to users of domain again [I]without/I] autenticate. For my surprise it sent.

How do I prevent this?

main.cf:

myhostname = mailserver.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mailserver.domain.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8, 10.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 3670016
recipient_delimiter = +
inet_interfaces = all
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_unlisted_recipient,
reject_rbl_client list.dsbl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client dnsbl.njabl.org
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
disable_vrfy_command = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Tks.

Do u mean to sent mail to a domain on the server and it was accepted or you sent mail to an external domain and it was accepted ?

Because if it is to a domain on the server then that is normal.

Is it normal even if i'm not in "mynetworks"?

This is a great way to send spam. I wanna block it!

Is it normal even if i'm not in "mynetworks"?

This is a great way to send spam. I wanna block it!
If the mail is for a domain that your postfix accepts mail for then it is normal but if you can send mail anywhere then you have an open relay.

I think its because of how you have formated the smtpd_recipient_restrictions option. I think you either use comma's on one straight line or you use tabs for each option on a new line.
Try this

smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_invalid_hostname
reject_unlisted_recipient
reject_rbl_client list.dsbl.org
reject_rbl_client bl.spamcop.net
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client zombie.dnsbl.sorbs.net
reject_rbl_client blackholes.easynet.nl
reject_rbl_client cbl.abuseat.org
reject_rbl_client proxies.blackholes.wirehub.net
reject_rbl_client sbl.spamhaus.org
reject_rbl_client dnsbl.njabl.org

I don't think so. I can see in the logs a lot of messages being blocked by this rule reject_rbl_client. But I'll try! Wait...

Nothing. Still can send mail to the domain without autenticate. I can't believe that it is normal. I tried my ISP server and it denied.

Sure that it's normal?


I think its because of how you have formated the smtpd_recipient_restrictions option. I think you either use comma's on one straight line or you use tabs for each option on a new line.
Try this

smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_invalid_hostname
reject_unlisted_recipient
reject_rbl_client list.dsbl.org
reject_rbl_client bl.spamcop.net
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client zombie.dnsbl.sorbs.net
reject_rbl_client blackholes.easynet.nl
reject_rbl_client cbl.abuseat.org
reject_rbl_client proxies.blackholes.wirehub.net
reject_rbl_client sbl.spamhaus.org
reject_rbl_client dnsbl.njabl.org

Of course that is normal how then do u expect people to send you mail if they have to authenticate to do so ?

I guess you didn't understand what I'm saying!

I have configurated my outlook in the local network with the server. In this configuration I can send e-mails without autenticate.

And I configurated the outlook of my home pc to access the same server. Out of the local network through the internet, got it? In this configuration I shouldn't send mails without autenticate, right? Else I've got an open relay. The server asks for autentication, but only when I'm sending mail to domain that isn't the same domain (eg. alex_bueno@mydomain.com -> alex_bueno@gmail.com). If I try to send to the same domain (eg. alex_bueno@mydomain.com -> other_user@mydomain.com), server don't asks for autentication.

This way, anyone can connect to my server and send mails to local users. Exactely what I don't want.

I'm talking about client connection, not server connection.

I guess you didn't understand what I'm saying!

I have configurated my outlook in the local network with the server. In this configuration I can send e-mails without autenticate.

And I configurated the outlook of my home pc to access the same server. Out of the local network through the internet, got it? In this configuration I shouldn't send mails without autenticate, right? Else I've got an open relay. The server asks for autentication, but only when I'm sending mail to domain that isn't the same domain (eg. alex_bueno@mydomain.com -> alex_bueno@gmail.com). If I try to send to the same domain (eg. alex_bueno@mydomain.com -> other_user@mydomain.com), server don't asks for autentication.

This way, anyone can connect to my server and send mails to local users. Exactely what I don't want.

I'm talking about client connection, not server connection.
There is no misunderstanding here any body on the internet should be able to connect to your server and deliver mail to users@yourdomain.com without being asked for authentication otherwise you will never be able to receive email from any one as the don't have credentials to authenticate to your system, How ever an open relay is when i can connect to your system and send mail to andrew@gmail.com without authentication.

If you dont want your users to get email from any where outside your network then firewall off port 25 from the internet

http://www.howtoforge.com/forums/showpost.php?p=16205&postcount=34