Take care of open relay issue

Ethichackman · 06-10-2014, 10:25 PM

Hello,

I logged into a server that I was using to test out postfix and discovered tens of thousands of messages in a user mailbox.

I used the MX Toolbox site to check my server and it says that the server may be an open relay.

I've added

Code:

smtpd_sender_restrictions = reject_unknown_sender_domain

and

Code:

 reject_unauth_destination reject_unknown_reverse_client_hostname

to my main.cf file and reloaded and restarted the service but after testing again using the above site and other SMTP testing sites I keep getting messages that my server is an open relay.

Can you shed some light on this issue for me?

Below is a copy of my main.cf file.

Code:

alias_maps	 hash:/etc/aliases
always_bcc	 root
best_mx_transport	 local
inet_protocols	 all
luser_relay	 maildrop
mail_name	 mywebsite.site
mailbox_size_limit	 2048000000
mailq_path	 /usr/bin/mailq.postfix
manpage_directory	 /usr/share/man
mydestination	 $myhostname, localhost.$mydomain, $mydomain
mydomain	 com
myhostname	 mywebsite.site
myorigin	 $mydomain
newaliases_path	 /usr/bin/newaliases.postfix
notify_classes	 bounce, 2bounce, delay, policy, protocol, resource, software
readme_directory	 /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory	 /usr/share/doc/postfix-2.6.6/samples
sendmail_path	 /usr/sbin/sendmail.postfix
smtp_sasl_auth_enable	 yes
smtpd_recipient_restrictions	 permit_mynetworks permit_inet_interfaces permit_sasl_authenticated check_relay_domains reject_unauth_destination reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable	 yes
smtpd_sender_restrictions	 reject_unknown_sender_domain
smtpd_tls_cert_file	 /noyb/sike.pem
smtpd_tls_key_file	 /noyb/sike.pem
smtpd_tls_security_level	 may
virtual_alias_maps	 hash:/etc/postfix/virtual

dijetlo · 06-12-2014, 02:19 AM

My understanding is that open relay means your server is passing other peoples email along to them. It "relays" messages bound for other domains

Quote:

and discovered tens of thousands of messages in a user mailbox.

Enforce mailbox quotas or install filtering software, but your MX record doesn't filter inboud email.

Noway2 · 06-19-2014, 03:21 PM

The key to whether or not your an open relay lies in the smtpd_recipient_restrictions. When a message comes in you want your server to deliver it on one of two conditions. One, it is for a recipient of your system. Two, they are an authenticated user. This is where this configuration statements comes into play.

Looking at your statement you are permitting three things: permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
The question I would ask is what do you have mynetworks set to? If it is set too broadly, e.g. 0.0.0.0/0 this will leave you as an open relay. In effect, you're saying allow any matching IP address to send mail. If it is set properly, permit_inet_interfaces should be redundant and not required. This leaves permitting SASL authenticated users, which is generally correct.