How to avoid making postfix setup an open relay??!
Hi all,
I setup postfix yesterday, and my network can now email through mydomain.com. I have set the mynetworks_style = subnet bit in /etc/postfix/main.cf Will selecting subnet in the above setting protect spammers from using my postfix as an smtp relay? Thanks in advance. |
If you don't have a large network, you may be better off specifying a group of internal IP's to relay through your server:
mynetworks = 192.168.1.2, 192.x.x.x And so on. However, on a large network, something that might be more cumbersome than simply adding 2 or 3 static internal IP's, or if you are using DHCP for your internals, or some other network scheme (I'm by no means a network guru) then the subnet option is a good one, and will likely prevent **most** (all?) spam relay outside your network. You can always test though.. :) Cool |
How about blocking Port 25 from the external side of your firewall ?
|
Thanks for your reply.
I tried to input internal IPs into the mynetwork= setting but was unable to send email through postfix from network computers afterwards? In the main.cf comments it says "Specify an explicit list of network/subnet patters, where the mask specifies the number of bits in the network part of a host address" then give the example #mynetworks= 192.168.0.1/28, 127.0.0.0/8 would this be why inputing just 192.168.0.1, 192.168.0.2 in the mynetworks= does not work? Thanks |
Yeah, that's likely so ;)
Here's my entry: mynetworks = 192.168.1.0/24 Alternatively, if your network is going to dynamically resize, you can create a text file containing these values as noted in the main.cf: #mynetworks = hash:/etc/postfix/network_table The text file network_table would contain the information we are specifying above, simply with the IP's: 192.168.0.0/24 Or whatever you use. Then as your office/home shrinks/expands, you add the new/remove the old IP's from that file instead of editing your main.cf Less risky IMHO. HTH Cool |
If all else fails relay only with SMTP AUTH :-)
|
Thanks for the replies, I changed the mynetworks = to
192.168.0.0/28, 127.0.0.0/8 and it worked ok. I am however curious.... what does the bit after the ip address mean? for example what does the 24 or 28 stand for in these examples mynetworks = 192.168.0.1/28 or mynetworks = 192.168.0.1/24 does it mean 192.168.0.1-192.168.0.24 ?? |
IPv4 = 8+8+8+8 bits = 32 bits
/24 = 24 network bits (= 8 host bits) /28 = 28 network bits (= 4 host bits) <== subnetting /24 = 256 hosts /25 = 128 hosts /26 = 64 hosts /27 = 32 hosts /28 = 16 hosts ... hosts doesn't mean USABLE hosts (network address, broadcast). so for instance 192.168.0.0/28 192.168.0.0 = network 192.168.0.1 = 1st IP address 192.168.0.14 = last IP address 192.168.0.15 = broadcast for more details search google for CIDR subnetting: http://arizona.edu/netmgrs/subnetting.html http://www.gtoal.com/subnet.html |
thanks
|
Quote:
Thank you for the clarification Markus! Cool |
Quote:
|
Found a good site to check for open relays on your server
http://www.abuse.net/relay.html long live the penguin! |
I'm having problems with this.. I have set my postix main.cf as such:
mynetworks = hash:/etc/postfix/network_table and inside the network_table file I put my IP address 159.23.0.0/24 However, when I try to send from my own domain and IP, my email log produces the errror: fatal: open database /etc/postfix/network_table invalid argument Not sure what I am doing wrong. I recently added Red Hat 8's default IMAP and installed squirrelmail, and it seems great, I really like the IMAP features. However, my ISP has sent me what seems to be an automated email saying I now have an open mail relay. I have fiddled with some settings and I can get the relay completely off (which it is now) but I cannot get it to work with my mail, and not be open. I'd love some help. :) Thanks. Oh and PS, I've tried the test site in the post above mine, and it seems to work great, and tells me my relay is closed. But my ISP's test still says it is open. :( |
in main.cf try simply putting:
mynetworks = 153.23.0.0/28, 127.0.0.0/8 and dont worry about (hash:/etc/postfix/network_table) Lucas |
I tried that, too, but according to my ISP's test, I still had an open relay. Not sure what they are testing on, probably I need to contact them and see what's up.
Thanks. |
All times are GMT -5. The time now is 04:01 AM. |