LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 09-14-2003, 07:59 AM   #1
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Rep: Reputation: 30
How to avoid making postfix setup an open relay??!


Hi all,

I setup postfix yesterday, and my network can now email through mydomain.com. I have set the

mynetworks_style = subnet

bit in /etc/postfix/main.cf

Will selecting subnet in the above setting protect spammers from using my postfix as an smtp relay?

Thanks in advance.
 
Old 09-14-2003, 08:09 AM   #2
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
If you don't have a large network, you may be better off specifying a group of internal IP's to relay through your server:
mynetworks = 192.168.1.2, 192.x.x.x

And so on. However, on a large network, something that might be more cumbersome than simply adding 2 or 3 static internal IP's, or if you are using DHCP for your internals, or some other network scheme (I'm by no means a network guru) then the subnet option is a good one, and will likely prevent **most** (all?) spam relay outside your network. You can always test though..



Cool
 
Old 09-14-2003, 08:19 AM   #3
pablob
Member
 
Registered: Apr 2003
Location: Madrid
Distribution: RHAS, Kubuntu, Solaris, TRU64
Posts: 381

Rep: Reputation: 31
How about blocking Port 25 from the external side of your firewall ?
 
Old 09-14-2003, 08:23 AM   #4
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
Thanks for your reply.

I tried to input internal IPs into the mynetwork= setting but was unable to send email through postfix from network computers afterwards?

In the main.cf comments it says

"Specify an explicit list of network/subnet patters, where the mask specifies the number of bits in the network part of a host address"

then give the example

#mynetworks= 192.168.0.1/28, 127.0.0.0/8

would this be why inputing just 192.168.0.1, 192.168.0.2 in the mynetworks= does not work?

Thanks
 
Old 09-14-2003, 08:29 AM   #5
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Yeah, that's likely so

Here's my entry:
mynetworks = 192.168.1.0/24

Alternatively, if your network is going to dynamically resize, you can create a text file containing these values as noted in the main.cf:
#mynetworks = hash:/etc/postfix/network_table

The text file network_table would contain the information we are specifying above, simply with the IP's:
192.168.0.0/24

Or whatever you use.

Then as your office/home shrinks/expands, you add the new/remove the old IP's from that file instead of editing your main.cf Less risky IMHO.

HTH

Cool
 
Old 09-14-2003, 09:37 AM   #6
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
If all else fails relay only with SMTP AUTH :-)
 
Old 09-14-2003, 09:51 AM   #7
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
Thanks for the replies, I changed the mynetworks = to
192.168.0.0/28, 127.0.0.0/8

and it worked ok.

I am however curious....

what does the bit after the ip address mean?

for example what does the 24 or 28 stand for in these examples

mynetworks = 192.168.0.1/28
or
mynetworks = 192.168.0.1/24

does it mean 192.168.0.1-192.168.0.24
??
 
Old 09-14-2003, 10:23 AM   #8
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
IPv4 = 8+8+8+8 bits = 32 bits

/24 = 24 network bits (= 8 host bits)
/28 = 28 network bits (= 4 host bits) <== subnetting

/24 = 256 hosts
/25 = 128 hosts
/26 = 64 hosts
/27 = 32 hosts
/28 = 16 hosts
...

hosts doesn't mean USABLE hosts (network address, broadcast). so for instance


192.168.0.0/28
192.168.0.0 = network
192.168.0.1 = 1st IP address
192.168.0.14 = last IP address
192.168.0.15 = broadcast


for more details search google for CIDR subnetting:

http://arizona.edu/netmgrs/subnetting.html
http://www.gtoal.com/subnet.html
 
Old 09-14-2003, 12:10 PM   #9
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
thanks
 
Old 09-14-2003, 04:21 PM   #10
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Quote:
Originally posted by markus1982
IPv4 = 8+8+8+8 bits = 32 bits

/24 = 24 network bits (= 8 host bits)
/28 = 28 network bits (= 4 host bits) <== subnetting

/24 = 256 hosts
/25 = 128 hosts
/26 = 64 hosts
/27 = 32 hosts
/28 = 16 hosts
...

hosts doesn't mean USABLE hosts (network address, broadcast). so for instance


192.168.0.0/28
192.168.0.0 = network
192.168.0.1 = 1st IP address
192.168.0.14 = last IP address
192.168.0.15 = broadcast


for more details search google for CIDR subnetting:

http://arizona.edu/netmgrs/subnetting.html
http://www.gtoal.com/subnet.html
Thanks alot for this! I've googled, and muttled my way through this basically by blindly "accepting" examples, but never understood it very well. This is a much better indication of what's going on, even though I'm still confused, it's much less

Thank you for the clarification Markus!

Cool
 
Old 09-15-2003, 12:38 PM   #11
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
Originally posted by MasterC
Thanks alot for this! I've googled, and muttled my way through this basically by blindly "accepting" examples, but never understood it very well. This is a much better indication of what's going on, even though I'm still confused, it's much less

Thank you for the clarification Markus!

Cool
No problem! After all it's just about bits like everything regarding computers :-)
 
Old 09-15-2003, 02:50 PM   #12
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
Found a good site to check for open relays on your server

http://www.abuse.net/relay.html

long live the penguin!
 
Old 11-09-2003, 11:49 PM   #13
Cynthia Blue
Member
 
Registered: Dec 2002
Location: SLC Utah USA
Distribution: SuSe 9.1
Posts: 102

Rep: Reputation: 15
I'm having problems with this.. I have set my postix main.cf as such:
mynetworks = hash:/etc/postfix/network_table

and inside the network_table file I put my IP address
159.23.0.0/24

However, when I try to send from my own domain and IP, my email log produces the errror:
fatal: open database /etc/postfix/network_table invalid argument

Not sure what I am doing wrong.

I recently added Red Hat 8's default IMAP and installed squirrelmail, and it seems great, I really like the IMAP features. However, my ISP has sent me what seems to be an automated email saying I now have an open mail relay. I have fiddled with some settings and I can get the relay completely off (which it is now) but I cannot get it to work with my mail, and not be open.

I'd love some help.
Thanks.

Oh and PS, I've tried the test site in the post above mine, and it seems to work great, and tells me my relay is closed. But my ISP's test still says it is open.
 
Old 11-10-2003, 10:40 AM   #14
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
in main.cf try simply putting:


mynetworks = 153.23.0.0/28, 127.0.0.0/8

and dont worry about (hash:/etc/postfix/network_table)

Lucas
 
Old 11-10-2003, 10:43 AM   #15
Cynthia Blue
Member
 
Registered: Dec 2002
Location: SLC Utah USA
Distribution: SuSe 9.1
Posts: 102

Rep: Reputation: 15
I tried that, too, but according to my ISP's test, I still had an open relay. Not sure what they are testing on, probably I need to contact them and see what's up.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Postfix/SMTPD] Getting no AUTH from server; open relay superhausi Linux - Security 2 11-19-2008 06:37 PM
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 04:22 PM
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 08:15 PM
closing a postfix open relay behind a NAT mishunimi Linux - Networking 2 02-05-2004 07:32 PM
Postfix - Open relay or not? darklogik_org Linux - Software 2 01-29-2004 06:30 AM


All times are GMT -5. The time now is 12:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration