Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-05-2004, 07:23 PM   #1
LQ Newbie
Registered: Feb 2004
Location: Israel
Distribution: Kubuntu
Posts: 7

Rep: Reputation: 0
closing a postfix open relay behind a NAT

I have 2 PCs on a LAN:
A - ( Windows, ADSL to the Internet, WinGate NAT.
B - ( Mandrake 9.2, Postfix.

My question in a nutshell: is there a way to configure Postfix so that
I can send mail from a client on the Windows machine to the Internet,
and at the same time not be an open relay?

Although I followed all the good advice I found in the documentations,
in various FAQs and in verious posts, Postfix remains an open relay.

I think the problem lies in the LAN topology - from Postfix standpoint,
all connections to port 25 arrive from, which is part of
$mynetworks, and there is no way to tell which connection originated
in the LAN and which originated from the Internet.

Allowing only $myhostname to send mail is too restrictive, because I
want to be able to send mail from a mail client running on the Windows
machine. Receiving mail can be restricted to the local machine only,
but I don't see how this can help me.

If I allow sending mail from machine A to the world, then anybody
on the Internet can send mail to anybody anywhere.

- Can I do what I want with just configuring Postfix?
- Is Qmail any better in solving this problem?
- Can I do it without changing the network topology (like moving the
ADSL connection from the Windows machine to the Linux one)?

Here is what an open relay test shows:
$ telnet
Connected to (
Escape character is '^]'.
Connecting to ...
<<< 220 ESMTP Postfix (2.0.13) (Mandrake Linux)
>>> HELO
<<< 250
:Relay test: #Quote test
>>> mail from: <>
<<< 250 Ok
>>> rcpt to: <"">
<<< 250 Ok
>>> rset
<<< 250 Ok
:Relay test: #Test 1
>>> mail from: <>
<<< 250 Ok
>>> rcpt to: <>
<<< 250 Ok
>>> QUIT
<<< 221 Bye
Tested host banner: 220 ESMTP Postfix (2.0.13) (Mandrake Linux)
System appeared to accept 1 relay attempts
Connection closed by foreign host.

These are the log lines generated by the above test:
postfix/smtpd[30013]: connect from unknown[]
postfix/smtpd[30013]: AC28A10C73: client=unknown[]
postfix/smtpd[30013]: 8FFFA10C73: client=unknown[]
postfix/smtpd[30013]: disconnect from unknown[]

This is the Postfix configuration I had during that test:

$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 4
disable_vrfy_command = yes
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq.postfix
masquerade_domains = $mydomain
mydestination = $myhostname, $mydomain, localhost.$mydomain
mynetworks =,
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
proxy_interfaces =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
recipient_delimiter = +
relay_domains = $mynetworks
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrake Linux)
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject
unknown_local_recipient_reject_code = 450
Old 02-05-2004, 07:32 PM   #2
Senior Member
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
Old 02-05-2004, 07:32 PM   #3
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
WinGate is a pretty sorry firewall/proxy from my experience, but any way...

Seems like your doesn't have the original comments...
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network.  Instead, specify an explicit
# mynetworks list by hand, as described below.
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#mynetworks_style = class
mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#mynetworks =,
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
By the way, I would really not recommend testing your MTA with a tester from an RBL. That's a good way to end up on a blacklist that will be difficult to get off of. Test it by hand. All you need is a shell on an outside host. how to test open relay by hand

Last edited by chort; 02-05-2004 at 07:40 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Postfix/SMTPD] Getting no AUTH from server; open relay superhausi Linux - Security 2 11-19-2008 06:37 PM
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 04:22 PM
Postfix - Open relay or not? darklogik_org Linux - Software 2 01-29-2004 06:30 AM
How to avoid making postfix setup an open relay??! lucastic Linux - Software 16 11-11-2003 12:38 PM
Problems closing open sendmail relay noisybastard Linux - Networking 4 06-16-2003 02:01 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:02 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration