Hello all, I have postfix configured and running, but its running as an open relay. I believe i have narrowed it down to what it is but i need help to fix it. Let me give you a gist of my setup. ISP - > Netscreen firewall -> mapped public IP to internal IP mail server. The netscreen firewall acts as the gateway for LAN PC's and also the mail server. When looking at logs i see this Code: Jul 18 15:14:50 mailsrvr amavis[17516]: (17516-13) Passed CLEAN, [192.168.1.90] [192.168.1.90] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: LxfwSp87DHwG, Hits: -, size: 488350, queued_as: C7FAB1063AF9, 887 ms Jul 18 15:14:50 mailsrvr postfix/smtp[18296]: 0D15A1062297: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.1, delays=3.2/0.02/0.01/0.89, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17516-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as C7FAB1063AF9) In my postfix main.cf i have mynetworks = 127.0.0.0/8,192.168.1.0/24 I have permit_mynetworks in my config. So the gateway of 192.168.1.90 falls into the mynetworks , so its allowed to pass thru, so i believe thats whats causing it to be an open relay mailserver. When i take away 192.168.1.0/24 its no longer an open relay, but i can no longer receive any incoming emails. I get 554 5.7.1 Client host rejected: cannot find your hostname, [192.168.1.90] I attached my main.cf below Code: smtpd_banner = $myhostname ESMTP biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings # TLS parameters #smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key #smtpd_use_tls=yes #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache#delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/dovecot.pem smtpd_tls_key_file=/etc/ssl/private/dovecot.pem smtpd_tls_security_level = may smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #smtp_tls_per_site = /etc/postfix/tls_per_site smtpd_tls_CAfile = /etc/postfix/CAcert.pem # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mailsrvr.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname mydomain = example.com #myorigin = $mydomain mynetworks = 127.0.0.0/8,192.168.1.0/24 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 31457280 virtual_mailbox_limit = 31457280 recipient_delimiter = + inet_interfaces = all virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtp_tls_per_site = hash:/etc/postfix/tls_per_site show_user_unknown_table_name = no sender_bcc_maps = hash:/etc/postfix/bcc_maps recipient_bcc_maps = hash:/etc/postfix/bcc_maps smtpd_helo_required = yes strict_rfc821_envelopes = yes smtpd_delay_reject = no disable_vrfy_command = yes unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, reject_rbl_client b.barracudacentral.org, reject_unknown_client, permit smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_client_exceptions, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_hostname, reject_invalid_hostname, warn_if_reject reject_unknown_hostname, permit smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/access, check_client_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/access2.cidr, permit_sasl_authenticated, reject_non_fqdn_recipient, # reject_non_fqdn_hostname, reject_invalid_hostname, permit_mynetworks, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_client, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit content_filter = smtp-amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings Thank you!.
