SMTPD resctrictions question
in [Postfix]
|
From: Jannis Achstetter on 10 Feb 2010 16:58 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello postfix-users, I have a postfix-server with virtual user-mapping in a database serving multiple domains running for some years now. It's not a high-traffic site but as spam-mails increased, I decided to use a spamfilter (amavis & spamassassin now). One thing that disturbed me right from the start and that I want to have fixed now is: An email from an authenticated user can be sent to any destination. This is correct and shall stay this way. An email (FROM is not in $mydestination) from an unauthenticated user to an address in $mydestination is accecpted. This is also fine. An email from an unauthenticated user to any destination but $mydestination (open relay) is denied. Perfect. BUT: Any email (FROM is in $mydestination) to $mydestination is accepted by any user since TO is in $mydestination. How do I stop this? Mails from $mydestination should only be accepted when the user is authenticated even when the destination is in $mydestination. That means that the "mails from $mydestination only when authenticated" shall be stronger than the "mails to $mydestination from any user/from any address". I searched the internet, talked to people in chatrooms and read the manpage postconf(5) but I still do not know how to achieve this. Would be nice if my problem can be solved on this ML. Thanks in advance, Jannis -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktzLBAACgkQeYlewm37lbiTVwCeJqNt4S8RVwHfyg/FxheVWEtz e3YAnRLdQ4uA6jKNRR51ZcCTpFiVG3dM =N4ps -----END PGP SIGNATURE-----
From: Jan Kohnert on 10 Feb 2010 17:17 Hi, Jannis Achstetter schrieb: > An email (FROM is not in $mydestination) from an unauthenticated user to > an address in $mydestination is accecpted. This is also fine. > An email from an unauthenticated user to any destination but > $mydestination (open relay) is denied. Perfect. > BUT: Any email (FROM is in $mydestination) to $mydestination is accepted > by any user since TO is in $mydestination. How do I stop this? Only if the sender IP is in mynetworks. I think you possibly want mynetworks = 127.0.0.1 Then only senders from the local machine can send unauthenticated. If that's not the way you want things to work, please post the information listed in http://www.postfix.org/DEBUG_README.html#mail -- Best regards Jan
From: Jannis Achstetter on 15 Feb 2010 10:38 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 10.02.2010 23:17, schrieb Jan Kohnert: > Hi, > > Jannis Achstetter schrieb: >> An email (FROM is not in $mydestination) from an unauthenticated user to >> an address in $mydestination is accecpted. This is also fine. >> An email from an unauthenticated user to any destination but >> $mydestination (open relay) is denied. Perfect. >> BUT: Any email (FROM is in $mydestination) to $mydestination is accepted >> by any user since TO is in $mydestination. How do I stop this? > > Only if the sender IP is in mynetworks. I think you possibly want > > mynetworks = 127.0.0.1 > > Then only senders from the local machine can send unauthenticated. I had "mynetworks_style = host" so I thought to be fine. Setting "mynetworks = 127.0.0.1" didn't help. So, here is the output from postfinger and an excerpt from the logfile (assuming you guys beeing trustworthy for that type of content ;) where a mail is accepted that should not be. I don't have my domains listed in mydestination but in virtual_mailbox_domains since it is a pure virtual setup. Mailserver-configuration (postfinger): http://kripton.kripserver.net/self/postfix/postfinger.log Logfile for the one mail: http://kripton.kripserver.net/self/postfix/log.log I left the amavis-stuff in for completeness Jannis -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt5anwACgkQeYlewm37lbgibwCcD8UhThFrw6I8Qy7Lz50S2Btf BiQAn2SolvGYpi4z+WBDbnT7R/vyRD4U =CXrK -----END PGP SIGNATURE-----
|
Pages: 1 Prev: backscatter issue Next: Setting a different IP address for different users? |