Did I miss something? Postfix will send 'outbund' mail without login?

Discussion in 'Installation/Configuration' started by FactionOne, Sep 1, 2015.

  1. FactionOne

    FactionOne New Member

    Hi All,

    I recently re-installed my two ISPConfig servers (I wanted to make some changes and decided it'd probably be better to start from fresh). I've just been doing some testing, and I found that I can send outbound mail without authentication with postifx. Is this normal for a fresh install, or have I missed something in the documentation?

    To clarify: It's not acting as an open relay; but if I telnet in and manually create a message with MAIL FROM: a valid mailbox address and RCPT TO: an email address hosted somewhere else, the message is queued and processed. I wonder if this is expected behaviour for a new install, or whether I missed something; surely with a quick glance at the header of a mail received from me, anyone could simply send bogus email as me?

    I'd be really grateful for help setting-up a requirement for authentication with mailbox credentials as configured in ISPConfig.

    Many thanks,

    Rob.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's normal. All mail servers allow to send mail from localhost without authentication, otherwise the Linux system won't be able to use the mail system to send e.g. cron notifications or other messages to the root user.
     
  3. FactionOne

    FactionOne New Member

    @till - Thanks for your reply.

    I've just deleted my last reply; having thought about the situation some more.

    Perhaps I miscommunicated the issue...

    I've reinstalled my ISPConfig setup and so far configured one mailbox for one hosted domain (for the purposes of this discussion: [email protected]). I wanted to check security is correct, so I ran an open relay test; the result was as expected, MAIL FROM an address outside the server's mail domains with RCPT TO another address outside the server's mail domains was rejected.

    Then I wanted to test that authentication was required to process mail with:
    MAIL FROM: <[email protected]>
    RCPT TO: somewhere outside the server <[email protected]>

    My laptop is on a different subnet to the ISPConfig machines, but to make doubly-sure (or so I thought) that I was a remote host, I tethered my laptop to my Android phone, and connected with PuTTY to the server on port 25. The mail was queued and processed.

    Surely there needs to be some sort of authentication there; because anyone who knows that [email protected] sends email via mail.myispconfig.domain can do the same, and send mail appearing to genuinely be from that user?

    Having been worried by this behaviour, I disabled SMTP for the mailbox from ISPConfig, but Postfix is still happy to send mail from that address?

    Many thanks again,

    Rob.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    When the relay test was ok then your server is not an open relay and if you followed the install instructions then it cant be a open relay. There are two options, the first one is that you tested sending to a local domain (maybe a typo in the smtp dialogs or similar) thats a common error, the other option is that you allowed postfix to relay from your local network without authentication by adding your local network to mynetworks setting in postfix main.cf.
     
  5. FactionOne

    FactionOne New Member

    @till - You sir, are a genius and a gentleman. I'm a moron...

    I was basically sending from a mail user held locally, to a mail user held locally - as suggested in your posts. The stupid mistake I was making was in topology; I'd been thinking of the domains as separate entities, when as they live on the same machine, they're effectively not.

    Messages were delivered (ultimately to a GMail account), because I'd been sending to an address which is catch-all forwarded by the ISPConfig machine. When I adjusted my test so that MAIL FROM was [email protected] and RCPT TO was @gmail.com, the message was rejected.

    Again, many thanks for your help, and patience helping a dopey n00b.

    Rob.

    PS> I explained the outcome just in case anyone finds the thread in future, but if you feel the thread is pulling-down the average IQ of the forum, please feel free to delete it! :)
     

Share This Page