Postfix security

[NathanZachary]

Hello all,

I have a question regarding Postfix smtpd security. I have it so that Postfix will reject mail relaying if the smtpd user is not authenticated, but how do I go about it when it isn't a *relayed* message, but one to the same domain. For instance, if I try:

[eccerr0r]

If mail.myhost.com is actually receiving mail for myhost.com, then you're really not relaying when sending to myhost.com - you are the endpoint.

What are you trying to accomplish here? I had to do the same on my mail server (sendmail) because if someone sends mail to me, they can't necessarily authenticate before sending mail to me, even if it's a legitimate email relayed from another host.

It seems that you want either all mail to require authentication (which would stop you from receiving any mail unless you have another machine relaying mail to this machine and it can setup an authenticated session) or am I not understanding the problem here, which may very well be the case?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[NathanZachary]

I guess it just seems strange to me, because then anyone could connect to this mail server and send mail with completely spoofed headers and such. I thought that there would be a way to require authentication even if it was going to an endpoint on the same mail server (not relaying). Maybe I am the one that is misunderstanding it conceptually.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---

[eccerr0r]

Yes, unfortunately yes if someone knows an account on your endpoint server, you are stuck with that person being able to spoof headers and send mail to anyone there. You don't trust other servers anyway, they could be fabricating headers too - pretty much only the last hop - yours - you can trust as well as the IP address of that last machine that connected to you. Pretty much only secure mail (all servers must authenticate with each other) or whitelist is the only way to prevent spoofed headers.

Having these would completely break the peer to peer mail system described in the RFC. I'm sure Google, Yahoo, Hotmail, etc. would love to kill all the small mail servers like ours by peering each other and restricting mail to our "insecure" machines, but luckily there are too many out there including businesses.

Then again they are already doing this by trying to make sure that their respective IM services beat out on email. The younger population thinking "email" old and antiquated.

Sigh.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[papahuhn]

NathanZachary, how did you configure submission? Usually, its smtpd_client_restrictions are set to something like "permit_sasl_authenticated,reject". This way, the telneted mail to abuse@myhost.com wouldn't have been queued.
_________________
Death by snoo-snoo!

[NathanZachary]

@papahuhn,

I have the smtpd_client_restrictions set to:

[papahuhn]

[magic919]

Can you not achieve this with smtpd_recipient_restrictions?

Near the top do permit_sasl_authenticated

Lower down do check_sender_access and pop your own domain(s) in there.

[gordonb3]

This is not possible.

Submission is simply a mirror for port 25 to circumvent ISP blocking. Since remote MTA's do not have an account on your domain, no login method is implemented for delivery to the email domain that has been defined as local to the server. Therefore, if you want the server to only accept mail from authenticated users it must not have any local email domain defined. I.e. it should only relay, preferably through your main MTA that does have the local email domain defined.