HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   How to disable open relay on Postfix? (http://www.howtoforge.com/forums/showthread.php?t=44338)

tuananh87vn 25th March 2010 03:49

How to disable open relay on Postfix?
 
Hi everyone,

Open relay, yet again, concerns me. I followed the Falko's guide on installing Debian postfix with some other stuff, things've been running cool, except for the open relay problem. As I configure MS Outlook to test email, even with no password, the test emails can still be sent. A open relay problem, isn't it?

I've tried several ways to disable it, but none worked. Can anybody help me out?

Thx alot ^^

falko 26th March 2010 03:25

You can test your server here: http://www.spamhelp.org/shopenrelay/

tuananh87vn 26th March 2010 07:38

Hi,
I've tried the test, the result said my smtp server is NOT an open relay. Seems like I have a misunderstanding here:

Outsiders (who are unauthenticated) cannot use my smtp server to send email to other server (or to relay mails). That's why my server is not considered an open relay.

However someone can still INJECT mails into my server (i.e: send mails to some users) as anonymous sender, right? Sometimes emails sent in this way is blocked as spam, sometimes, they are passed CLEAN. So how to prevent it? Is it something like using "smptd_client_restriction" or "smtpd_sender_restriction"?

thx alot!

falko 27th March 2010 13:29

There are two scenarios where users don't have to authenticate:
1) You send to a rdcipient who is on the server.
2) You send from a client whose IP is listed in mynetworks in /etc/postfix/main.cf.

tuananh87vn 27th March 2010 18:47

Quote:

Originally Posted by falko (Post 223446)
There are two scenarios where users don't have to authenticate:
1) You send to a rdcipient who is on the server.
2) You send from a client whose IP is listed in mynetworks in /etc/postfix/main.cf.

Hi,
For the 2nd scenario, it is likely for those who are logged into the system (as mynetworks specifies 127.0.0.1/8)

But for the 1st one, although i've placed some restrictions on client (like, client must be from user list), chances are that somebody who knows the emails of some users within the server still use them to spam the server itself. In this case, is it possible to force smtp authentication to any user who wants to use smtp service? (like Gmail, it forces its users to authenticate themselves before doing anything)

tuananh87vn 5th April 2010 10:59

No reply? :(
I'm really stuck :(

dstomov 6th April 2010 14:36

Hi,

I have similar problem (or may be the same). I use ubuntu 9.10 with ispconfig3. Now anyone can use my server on port 25 to send emails to the email boxes on my server. I want to know how to stop this. If the email is not for mines mail boxes there is response '5.7.1 Relay access denied', which is good, but when it is for my boxes is not good.

minhnghivn 22nd September 2010 14:00

My solution...
 
Try adding the following to your main.cf:
Code:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain

This help prevents any one from sending mail through your server without logging in first.

mburb 31st December 2013 02:58

Quote:

Originally Posted by minhnghivn (Post 239909)
Try adding the following to your main.cf:
Code:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain

This help prevents any one from sending mail through your server without logging in first.


Bingo! I had this problem and your suggestion (minhnghivn) has resolved it completely

I added this: reject_unknown_sender_domain

For me, my legit email was mostly working normally, but there was also a significant volume of junk mail (most of which was being rejected) trying to be sent through my server, visible in /var/log/mail.log The high volume of email attempts were all rejected, but the problem was that lots of this junk was being queued (only to be rejected again) and then after a couple weeks my mail server would stop delivering mail. Periodic reboots would resolve problem. But now the problem is eliminated... Basically I think I set up postfix improperly to begin with.

postqueue -p shows a list of files in queue (for me all the addresses in there looked spammy; confirmed the issue)

I ran the suggestions made by minh, then I did: postfix reload

Then I ran: postsuper -d ALL to delete all the items in queue

Then I monitored the mail log for awhile and found that my legit email was goin thru properly but the spammy stuff was no longer showing up in log:

tail /var/log/mail.log -n 100

Thanks for help! (from Canada)
Also, thanks to Falko for your great tutorials, I have used them for years


All times are GMT +2. The time now is 15:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.