Postfix config to require authentication for outgoing mail etc

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Sep 28, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    I am looking for a config, but not been able to achieve.
    1. To make postfix require authentication for all outgoing mail. what I see like this:
      Code:
      Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1]
    2. There are mails which are sent as spam by bots or malicious script like [email protected].
    Now mydomain.com is my domain, but xitpl is no mailbox on my server/domain, yet the mail is queued as valid sender.
    my config for postfix is like this:
    Code:
    smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    defer_unauth_destination
    
    smtpd_reject_unlisted_sender = yes
    
    smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated, reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
    
    smtpd_sender_restrictions =
    check_sender_access regexp:/etc/postfix/tag_as_originating.re,
    
    reject_authenticated_sender_login_mismatch, permit_mynetworks,
    permit_sasl_authenticated,
    check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
    
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    Is there anything which I am still missing or done a wrong config.

    Note: In some other post I read that removing "127.0.0.1" from mynetworks will work. but how to configure that, will I be able to send mail using roundcube and receive mail from other network?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess the mails are not send from external. Otherwise, your server would have requested a password. Setting a password for internal (localhost) mail makes not much sense. The most likely source for these mails is a hacked website, check the content of the mail in the mailqueue e.g. with the postcat command to see which website on your server has sent it and then fix that site.
     
  3. pawan

    pawan Member HowtoForge Supporter

    That is right. is it possible:
    1. whether internal or external to prevent completely the sender name, which is not on my server for example [email protected], this mail box is not there on my server. so the Postfix should able to identify that block that.
    2. is it possible to implement the password for any mails to be sent? like for example if I change the submission port to 587 from 25.
    Thanks.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    All these measures won't help you when a site is hacked, the hacker will just upload a smtp library written in PHP to the website if he can't use the local mail system. So mail sending for him will still work well but it's way more complicated for you to find the sender then. And the mail system is also used by other services like cron jobs and internal messages and these systems expect that they can send emails over localhost. Fix the hacked site to fix the problem and don't mess up your mail system.
     
  5. HSorgYves

    HSorgYves Active Member

    Besides if you close port 25 you risk that other mailserver refuse to talk to yours.
     

Share This Page