postfix authentication

Discussion in 'Server Operation' started by sudip, Feb 5, 2013.

  1. sudip

    sudip New Member

    Hi,
    I am administering a server and i must accept that I am a total newbie. I have followed the "The Perfect Server – CentOS 6.3 x86_64 (Apache2, Dovecot, ISPConfig 3)" to setup the server. Everything is ok in it, we do not have any problem in sending/receiving mail except that Postfix is allowing mails within the same domain without authentication.
    example : my domain is xyz.com and I have two mail boxes. abc@xyz.com and bcd@xyz.com . Now in the mail client (Thunderbird) of abc@xyz.com , i have given smtp authentication method as "no authentication" and abc@xyz.com is trying to send a mail to bcd@xyx.com , still the mail is getting delivered. Can you please guide me or point me to the setting which might be causing it.

    This is my output of postconf -n . In the result I have just modified myhostname and smtp_bind_address.

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    body_checks = regexp:/etc/postfix/body_checks
    bounce_queue_lifetime = 1d
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = amavis:[127.0.0.1]:10024
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    debug_peer_level = 2
    default_process_limit = 50
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    mail_owner = postfix
    mailbox_size_limit = 0
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    maximal_queue_lifetime = 1d
    message_size_limit = 0
    milter_default_action = accept
    milter_protocol = 2
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = localhost, localhost.localdomain
    myhostname = xyz.com
    mynetworks = 127.0.0.0/8 [::1]/128
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    newaliases_path = /usr/bin/newaliases.postfix
    non_smtpd_milters = $smtpd_milters
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    queue_directory = /var/spool/postfix
    queue_run_delay = 15m
    readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
    receive_override_options = no_address_mappings
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost =
    sample_directory = /usr/share/doc/postfix-2.6.6/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_bind_address = x.x.x.x
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_milters = inet:127.0.0.1:8891
    smtpd_recipient_restrictions = reject_unauth_pipelining,permit_mynetworks,permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
    smtpd_reject_unlisted_sender = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl1/startssl.chain.class1.server.crt
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_security_level = may
    smtpd_use_tls = yes
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    unknown_local_recipient_reject_code = 550
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = static:5000


    Thanks in advance
    Sudip
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  3. sudip

    sudip New Member

    Hi falko
    Thanks for the reply.
    But in my case , the ip from which the mail is coming is not listed in mynetworks.
    And i did not understand what you meant by rdcipient.

    The recipients of the mails which are coming unauthorized are all virtual mailbox.
    And just today I had to remove the setting smtpd_reject_unlisted_sender = yes , otherwise all the system mails were getting blocked.

    Thanks
    Sudip
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    A typo. I meant recipient.
     
  5. sudip

    sudip New Member

    Then isn't that a security issue? That means i can send mails to any user in our domain and that mail might look like as if the mail has been sent by our MD . I can then send any type of mail to abc@example.com and abc@example.com will think that the mail has been sent by xyz@example.com , but in reality the mail has actually been sent by sudip@example.com - but there is no reference of sudip@example.com in the mail.

    :confused:

    Sudip
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    A weakness of the SMTP protocol - you can use fake sender addresses.
     
  7. sudip

    sudip New Member

    Sorry Falko but I can not agree with that.
    I have another domain which is not on this dedicated server , but is on a shared hosting on a windows server of ixwebhosing.com .
    When I am trying to send mail to one of the mailbox of this domain using a fake and non existant userid of the same domain , the mail server is not allowing me to send it.
    And that is also SMTP protocol .
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Yes, but try to send to a domain that is not on this server...
     
  9. sudip

    sudip New Member

    hi Falko
    I think you misunderstood my first post (the original post with the problem).

    This is the problem that I am facing in the dedicated server - I am able to send mail to one of the mailbox of this domain using a fake and non existant userid of the same domain.
    Shared windows hosting server is not allowing it , but the dedicated server (The Perfect Server – CentOS 6.3 x86_64 (Apache2, Dovecot, ISPConfig 3) is allowing it.

    This has to be some of the settings.

    Thanks in advance.
    Sudip
     

Share This Page