How to avoid making postfix setup an open relay??!
 

Hi all,

I setup postfix yesterday, and my network can now email through mydomain.com. I have set the

mynetworks_style = subnet

bit in /etc/postfix/main.cf

Will selecting subnet in the above setting protect spammers from using my postfix as an smtp relay?

Thanks in advance.

If you don't have a large network, you may be better off specifying a group of internal IP's to relay through your server:
mynetworks = 192.168.1.2, 192.x.x.x

And so on. However, on a large network, something that might be more cumbersome than simply adding 2 or 3 static internal IP's, or if you are using DHCP for your internals, or some other network scheme (I'm by no means a network guru) then the subnet option is a good one, and will likely prevent **most** (all?) spam relay outside your network. You can always test though..

:)

Cool

How about blocking Port 25 from the external side of your firewall ?

Thanks for your reply.

I tried to input internal IPs into the mynetwork= setting but was unable to send email through postfix from network computers afterwards?

In the main.cf comments it says

"Specify an explicit list of network/subnet patters, where the mask specifies the number of bits in the network part of a host address"

then give the example

#mynetworks= 192.168.0.1/28, 127.0.0.0/8

would this be why inputing just 192.168.0.1, 192.168.0.2 in the mynetworks= does not work?

Thanks

Yeah, that's likely so ;)

Here's my entry:
mynetworks = 192.168.1.0/24

Alternatively, if your network is going to dynamically resize, you can create a text file containing these values as noted in the main.cf:
#mynetworks = hash:/etc/postfix/network_table

The text file network_table would contain the information we are specifying above, simply with the IP's:
192.168.0.0/24

Or whatever you use.

Then as your office/home shrinks/expands, you add the new/remove the old IP's from that file instead of editing your main.cf Less risky IMHO.

HTH

Cool

If all else fails relay only with SMTP AUTH :-)

Thanks for the replies, I changed the mynetworks = to
192.168.0.0/28, 127.0.0.0/8

and it worked ok.

I am however curious....

what does the bit after the ip address mean?

for example what does the 24 or 28 stand for in these examples

mynetworks = 192.168.0.1/28
or
mynetworks = 192.168.0.1/24

does it mean 192.168.0.1-192.168.0.24
??

IPv4 = 8+8+8+8 bits = 32 bits

/24 = 24 network bits (= 8 host bits)
/28 = 28 network bits (= 4 host bits) <== subnetting

/24 = 256 hosts
/25 = 128 hosts
/26 = 64 hosts
/27 = 32 hosts
/28 = 16 hosts
...

hosts doesn't mean USABLE hosts (network address, broadcast). so for instance


192.168.0.0/28
192.168.0.0 = network
192.168.0.1 = 1st IP address
192.168.0.14 = last IP address
192.168.0.15 = broadcast


for more details search google for CIDR subnetting:

http://arizona.edu/netmgrs/subnetting.html
http://www.gtoal.com/subnet.html

thanks

Thanks alot for this! I've googled, and muttled my way through this basically by blindly "accepting" examples, but never understood it very well. This is a much better indication of what's going on, even though I'm still confused, it's much less ;)

Thank you for the clarification Markus!

Cool

No problem! After all it's just about bits like everything regarding computers :-)

Found a good site to check for open relays on your server

http://www.abuse.net/relay.html

long live the penguin!

I'm having problems with this.. I have set my postix main.cf as such:
mynetworks = hash:/etc/postfix/network_table

and inside the network_table file I put my IP address
159.23.0.0/24

However, when I try to send from my own domain and IP, my email log produces the errror:
fatal: open database /etc/postfix/network_table invalid argument

Not sure what I am doing wrong.

I recently added Red Hat 8's default IMAP and installed squirrelmail, and it seems great, I really like the IMAP features. However, my ISP has sent me what seems to be an automated email saying I now have an open mail relay. I have fiddled with some settings and I can get the relay completely off (which it is now) but I cannot get it to work with my mail, and not be open.

I'd love some help. :)
Thanks.

Oh and PS, I've tried the test site in the post above mine, and it seems to work great, and tells me my relay is closed. But my ISP's test still says it is open. :(

in main.cf try simply putting:


mynetworks = 153.23.0.0/28, 127.0.0.0/8

and dont worry about (hash:/etc/postfix/network_table)

Lucas

I tried that, too, but according to my ISP's test, I still had an open relay. Not sure what they are testing on, probably I need to contact them and see what's up.

Thanks.