POSTFIX - allow only emails from specific domain
I am running ubuntu server 10, Postfix 2.7 + Dovecot
Since setting up the server my smtp has been target by 1000's of external clients trying to spam through my postfix I had to temp. shut it down How can I config POSTFIX to allow only emails to go out if send from my main domain *@mymaindoman.com Users need to send from various desktop-clients etc.. I cannot limit the ip-range - just allow users that has logged in and sending from a specific domain Thanks |
I'm not a spec in Postfix, but what do you have in this section?
http://www.postfix.org/postconf.5.ht...t_restrictions |
I must admit the configurations are a bit overwhelming - the documentation is also not very clear on how to do it - so I have tried the following settings:
------------------------------------------------------------------- ## smtpd_restriction_classes = restrictive, permissive smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/local_domains, reject smtpd_client_restrictions = permit_sasl_authenticated,reject_unknown_client smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/ssl/private/smtpd.key smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom content_filter = scan:127.0.0.1:10026 receive_override_options = no_address_mappingssmtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/ssl/private/smtpd.key smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = mail.MyDomain.com mydomain = MyDomain.com content_filter = scan:127.0.0.1:10026 receive_override_options = no_address_mappings #- limit outgoing domains to specific domain... #http://serverfault.com/questions/355972/is-it-possible-to-limit-outgoing-emails-in-postfix-to-one-specific-do$ #transport_maps = hash:/etc/postfix/transport #http://www.postfix.org/STANDARD_CONF...ON_README.html ## Alternative 1: don't relay mail from other hosts #--mynetworks_style = host relay_domains = permit_sasl_authenticated, permit_mynetworks, check_relay_domains ##-- try 5 : http://wiki.centos.org/HowTos/postfix_restrictions ## http://www.linuxmail.info/postfix-re...der-recipient/ ## Helo Restrictions smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit ## Sender Restrictions smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # limit outgoing domains to specific domain... ##http://www.postfix.org/RESTRICTION_CLASS_README.html ##smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_deny, permit_mynetworks, permit_$ ##smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination ## Recipient restrictions: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit ------------------------------------------------------------------- |
Ok - I again followed this - to try and limit through Dovecot-SASL
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL But when I do this: ------------------- telnet mailserver.com smtp ehlo mailserver.com 250-mail.mailserver.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: pip@dodoo.com 250 2.1.0 Ok RCPT TO:user@mailserver.com 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> subject: 108 108 . ----------------- the mail just happily goes through that means anyone can use the mail-server to send emails... ----------------- I need a limit on mail from: pip@dodoo.com to exclude everyone except legalUsers@mailserver.com - maybe the answer is to better understand limiting access to only users authenticated through some login mechanism - I though Dovecot SASL was the answer |
|
Hi
From where you are doing telnet <ip> 25. Since permit_mynetwork is mentioned so may be from localhost relaying allowed with authentication . But from outside relaying is denied without username/password because of reject_unauth_destination Thanks |
Hi - It still do not seem to get it working
either I break my mail-server if I try and use dovecot-sasl - or the rules are to strict and I cannot connect at all Is smtpd_client_restrictions the property I need to change to control who can SEND emails through my server?? -------------------------------------- smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, reject_unauth_destination # reject_unknown_client # reject_unknown_client_hostname, # reject_unauth_pipelining --------------------------------------- is there an attribute to only allow specific email-users/addresses to use the SMPT server?? e.g. ---------- user1@mailserver.com OK user2@mailserver.com OK user1@anothermailserver.com OK user3@mailserver.com NONE * (all other) NONE ---------- |
Hi,
Code:
## Sender Restrictions I have this on one of the servers Code:
smtpd_sender_restrictions = try "open relay test" - check 1 - check 2 - check 3 etc... You shall get the Quote:
Quote:
|
All times are GMT -5. The time now is 07:18 AM. |