Postfix Autentication

Discussion in 'Server Operation' started by alex_bueno, Feb 16, 2008.

  1. alex_bueno

    alex_bueno New Member

    Hi guys,

    I thought that I've configurated my server ok till I test it from my home. My idea is:

    - Local users (10.0.0.0/8) don't need to autenticate to send mail;
    - External users need to autenticate to send mail.

    I made the configurations, but haven't oportunity to test yet. Right now I've did the follow tests:

    - Connect to the server from my home and mail to external domains without autenticate. The server reply "Relay access denied".
    - Then I connected to the server and try to send mail to users of domain again without/I] autenticate. For my surprise it sent.

    How do I prevent this?

    main.cf:

    Code:
    myhostname = mailserver.domain.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = mailserver.domain.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8, 10.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    message_size_limit = 3670016
    recipient_delimiter = +
    inet_interfaces = all
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unauth_pipelining,
        reject_invalid_hostname,
        reject_unlisted_recipient,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client zombie.dnsbl.sorbs.net,
        reject_rbl_client blackholes.easynet.nl,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client proxies.blackholes.wirehub.net,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client dnsbl.njabl.org
    smtpd_helo_restrictions = reject_invalid_hostname
    smtpd_etrn_restrictions = permit_mynetworks, reject
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_create_maildirsize = yes
    virtual_mailbox_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    Tks.
     
    Last edited: Feb 16, 2008
  2. topdog

    topdog New Member HowtoForge Supporter

    Do u mean to sent mail to a domain on the server and it was accepted or you sent mail to an external domain and it was accepted ?

    Because if it is to a domain on the server then that is normal.
     
  3. alex_bueno

    alex_bueno New Member

    Is it normal even if i'm not in "mynetworks"?

    This is a great way to send spam. I wanna block it!
     
  4. topdog

    topdog New Member HowtoForge Supporter

    If the mail is for a domain that your postfix accepts mail for then it is normal but if you can send mail anywhere then you have an open relay.
     
  5. topdog

    topdog New Member HowtoForge Supporter

    I think its because of how you have formated the smtpd_recipient_restrictions option. I think you either use comma's on one straight line or you use tabs for each option on a new line.
    Try this
    Code:
    smtpd_recipient_restrictions =
            permit_mynetworks
            permit_sasl_authenticated
            reject_unauth_destination
            reject_non_fqdn_sender
            reject_non_fqdn_recipient
            reject_unauth_pipelining
            reject_invalid_hostname
            reject_unlisted_recipient
            reject_rbl_client list.dsbl.org
            reject_rbl_client bl.spamcop.net
            reject_rbl_client sbl-xbl.spamhaus.org
            reject_rbl_client zombie.dnsbl.sorbs.net
            reject_rbl_client blackholes.easynet.nl
            reject_rbl_client cbl.abuseat.org
            reject_rbl_client proxies.blackholes.wirehub.net
            reject_rbl_client sbl.spamhaus.org
            reject_rbl_client dnsbl.njabl.org
    
     
    Last edited: Feb 16, 2008
  6. alex_bueno

    alex_bueno New Member

    I don't think so. I can see in the logs a lot of messages being blocked by this rule reject_rbl_client. But I'll try! Wait...
     
  7. alex_bueno

    alex_bueno New Member

    Nothing. Still can send mail to the domain without autenticate. I can't believe that it is normal. I tried my ISP server and it denied.

    Sure that it's normal?


     
  8. topdog

    topdog New Member HowtoForge Supporter

    Of course that is normal how then do u expect people to send you mail if they have to authenticate to do so ?
     
  9. alex_bueno

    alex_bueno New Member

    I guess you didn't understand what I'm saying!

    I have configurated my outlook in the local network with the server. In this configuration I can send e-mails without autenticate.

    And I configurated the outlook of my home pc to access the same server. Out of the local network through the internet, got it? In this configuration I shouldn't send mails without autenticate, right? Else I've got an open relay. The server asks for autentication, but only when I'm sending mail to domain that isn't the same domain (eg. [email protected] -> [email protected]). If I try to send to the same domain (eg. [email protected] -> [email protected]), server don't asks for autentication.

    This way, anyone can connect to my server and send mails to local users. Exactely what I don't want.

    I'm talking about client connection, not server connection.
     
  10. topdog

    topdog New Member HowtoForge Supporter

    There is no misunderstanding here any body on the internet should be able to connect to your server and deliver mail to [email protected] without being asked for authentication otherwise you will never be able to receive email from any one as the don't have credentials to authenticate to your system, How ever an open relay is when i can connect to your system and send mail to [email protected] without authentication.

    If you dont want your users to get email from any where outside your network then firewall off port 25 from the internet
     
    Last edited: Feb 19, 2008
  11. falko

    falko Super Moderator ISPConfig Developer

Share This Page