Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th February 2008, 03:36
alex_bueno alex_bueno is offline
Junior Member
 
Join Date: Feb 2008
Location: Brazil
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alex_bueno
Exclamation Postfix Autentication

Hi guys,

I thought that I've configurated my server ok till I test it from my home. My idea is:

- Local users (10.0.0.0/8) don't need to autenticate to send mail;
- External users need to autenticate to send mail.

I made the configurations, but haven't oportunity to test yet. Right now I've did the follow tests:

- Connect to the server from my home and mail to external domains without autenticate. The server reply "Relay access denied".
- Then I connected to the server and try to send mail to users of domain again [I]without/I] autenticate. For my surprise it sent.

How do I prevent this?

main.cf:

Code:
myhostname = mailserver.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mailserver.domain.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8, 10.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 3670016
recipient_delimiter = +
inet_interfaces = all
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unauth_pipelining,
    reject_invalid_hostname,
    reject_unlisted_recipient,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client zombie.dnsbl.sorbs.net,
    reject_rbl_client blackholes.easynet.nl,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client proxies.blackholes.wirehub.net,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client dnsbl.njabl.org
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
disable_vrfy_command = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
Tks.

Last edited by alex_bueno; 16th February 2008 at 03:42.
Reply With Quote
Sponsored Links
  #2  
Old 16th February 2008, 05:21
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Do u mean to sent mail to a domain on the server and it was accepted or you sent mail to an external domain and it was accepted ?

Because if it is to a domain on the server then that is normal.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 16th February 2008, 15:55
alex_bueno alex_bueno is offline
Junior Member
 
Join Date: Feb 2008
Location: Brazil
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alex_bueno
Default

Is it normal even if i'm not in "mynetworks"?

This is a great way to send spam. I wanna block it!
Reply With Quote
  #4  
Old 16th February 2008, 15:58
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Quote:
Originally Posted by alex_bueno
Is it normal even if i'm not in "mynetworks"?

This is a great way to send spam. I wanna block it!
If the mail is for a domain that your postfix accepts mail for then it is normal but if you can send mail anywhere then you have an open relay.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #5  
Old 16th February 2008, 16:05
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

I think its because of how you have formated the smtpd_recipient_restrictions option. I think you either use comma's on one straight line or you use tabs for each option on a new line.
Try this
Code:
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unauth_pipelining
        reject_invalid_hostname
        reject_unlisted_recipient
        reject_rbl_client list.dsbl.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client sbl-xbl.spamhaus.org
        reject_rbl_client zombie.dnsbl.sorbs.net
        reject_rbl_client blackholes.easynet.nl
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client proxies.blackholes.wirehub.net
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client dnsbl.njabl.org
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.

Last edited by topdog; 16th February 2008 at 16:11.
Reply With Quote
  #6  
Old 16th February 2008, 16:33
alex_bueno alex_bueno is offline
Junior Member
 
Join Date: Feb 2008
Location: Brazil
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alex_bueno
Default

I don't think so. I can see in the logs a lot of messages being blocked by this rule reject_rbl_client. But I'll try! Wait...
Reply With Quote
  #7  
Old 18th February 2008, 05:15
alex_bueno alex_bueno is offline
Junior Member
 
Join Date: Feb 2008
Location: Brazil
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alex_bueno
Default

Nothing. Still can send mail to the domain without autenticate. I can't believe that it is normal. I tried my ISP server and it denied.

Sure that it's normal?


Quote:
Originally Posted by topdog
I think its because of how you have formated the smtpd_recipient_restrictions option. I think you either use comma's on one straight line or you use tabs for each option on a new line.
Try this
Code:
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unauth_pipelining
        reject_invalid_hostname
        reject_unlisted_recipient
        reject_rbl_client list.dsbl.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client sbl-xbl.spamhaus.org
        reject_rbl_client zombie.dnsbl.sorbs.net
        reject_rbl_client blackholes.easynet.nl
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client proxies.blackholes.wirehub.net
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client dnsbl.njabl.org
Reply With Quote
  #8  
Old 18th February 2008, 07:18
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Of course that is normal how then do u expect people to send you mail if they have to authenticate to do so ?
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #9  
Old 19th February 2008, 12:19
alex_bueno alex_bueno is offline
Junior Member
 
Join Date: Feb 2008
Location: Brazil
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alex_bueno
Default

I guess you didn't understand what I'm saying!

I have configurated my outlook in the local network with the server. In this configuration I can send e-mails without autenticate.

And I configurated the outlook of my home pc to access the same server. Out of the local network through the internet, got it? In this configuration I shouldn't send mails without autenticate, right? Else I've got an open relay. The server asks for autentication, but only when I'm sending mail to domain that isn't the same domain (eg. alex_bueno@mydomain.com -> alex_bueno@gmail.com). If I try to send to the same domain (eg. alex_bueno@mydomain.com -> other_user@mydomain.com), server don't asks for autentication.

This way, anyone can connect to my server and send mails to local users. Exactely what I don't want.

I'm talking about client connection, not server connection.
Reply With Quote
  #10  
Old 19th February 2008, 12:30
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
 
Default

Quote:
Originally Posted by alex_bueno
I guess you didn't understand what I'm saying!

I have configurated my outlook in the local network with the server. In this configuration I can send e-mails without autenticate.

And I configurated the outlook of my home pc to access the same server. Out of the local network through the internet, got it? In this configuration I shouldn't send mails without autenticate, right? Else I've got an open relay. The server asks for autentication, but only when I'm sending mail to domain that isn't the same domain (eg. alex_bueno@mydomain.com -> alex_bueno@gmail.com). If I try to send to the same domain (eg. alex_bueno@mydomain.com -> other_user@mydomain.com), server don't asks for autentication.

This way, anyone can connect to my server and send mails to local users. Exactely what I don't want.

I'm talking about client connection, not server connection.
There is no misunderstanding here any body on the internet should be able to connect to your server and deliver mail to users@yourdomain.com without being asked for authentication otherwise you will never be able to receive email from any one as the don't have credentials to authenticate to your system, How ever an open relay is when i can connect to your system and send mail to andrew@gmail.com without authentication.

If you dont want your users to get email from any where outside your network then firewall off port 25 from the internet
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.

Last edited by topdog; 19th February 2008 at 12:32.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix: connection refused error tosin Server Operation 1 30th October 2007 17:30
Issues with Postfix using "Virtual Users And Domains With Postfix, Courier And MySQL" Kyse HOWTO-Related Questions 15 6th January 2007 15:35
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36
postfix starts and stops why lhatle Installation/Configuration 2 21st December 2005 15:20


All times are GMT +2. The time now is 12:21.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.