Hi guys, I thought that I've configurated my server ok till I test it from my home. My idea is: - Local users (10.0.0.0/8) don't need to autenticate to send mail; - External users need to autenticate to send mail. I made the configurations, but haven't oportunity to test yet. Right now I've did the follow tests: - Connect to the server from my home and mail to external domains without autenticate. The server reply "Relay access denied". - Then I connected to the server and try to send mail to users of domain again without/I] autenticate. For my surprise it sent. How do I prevent this? main.cf: Code: myhostname = mailserver.domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = mailserver.domain.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8, 10.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 3670016 recipient_delimiter = + inet_interfaces = all virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_invalid_hostname, reject_unlisted_recipient, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org smtpd_helo_restrictions = reject_invalid_hostname smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_helo_required = yes disable_vrfy_command = yes transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_create_maildirsize = yes virtual_mailbox_extended = yes virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf virtual_mailbox_limit_override = yes virtual_maildir_limit_message = "The user you are trying to reach is over quota." virtual_overquota_bounce = yes proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings Tks.
Do u mean to sent mail to a domain on the server and it was accepted or you sent mail to an external domain and it was accepted ? Because if it is to a domain on the server then that is normal.
If the mail is for a domain that your postfix accepts mail for then it is normal but if you can send mail anywhere then you have an open relay.
I think its because of how you have formated the smtpd_recipient_restrictions option. I think you either use comma's on one straight line or you use tabs for each option on a new line. Try this Code: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_pipelining reject_invalid_hostname reject_unlisted_recipient reject_rbl_client list.dsbl.org reject_rbl_client bl.spamcop.net reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client zombie.dnsbl.sorbs.net reject_rbl_client blackholes.easynet.nl reject_rbl_client cbl.abuseat.org reject_rbl_client proxies.blackholes.wirehub.net reject_rbl_client sbl.spamhaus.org reject_rbl_client dnsbl.njabl.org
I don't think so. I can see in the logs a lot of messages being blocked by this rule reject_rbl_client. But I'll try! Wait...
Nothing. Still can send mail to the domain without autenticate. I can't believe that it is normal. I tried my ISP server and it denied. Sure that it's normal?
Of course that is normal how then do u expect people to send you mail if they have to authenticate to do so ?
I guess you didn't understand what I'm saying! I have configurated my outlook in the local network with the server. In this configuration I can send e-mails without autenticate. And I configurated the outlook of my home pc to access the same server. Out of the local network through the internet, got it? In this configuration I shouldn't send mails without autenticate, right? Else I've got an open relay. The server asks for autentication, but only when I'm sending mail to domain that isn't the same domain (eg. [email protected] -> [email protected]). If I try to send to the same domain (eg. [email protected] -> [email protected]), server don't asks for autentication. This way, anyone can connect to my server and send mails to local users. Exactely what I don't want. I'm talking about client connection, not server connection.
There is no misunderstanding here any body on the internet should be able to connect to your server and deliver mail to [email protected] without being asked for authentication otherwise you will never be able to receive email from any one as the don't have credentials to authenticate to your system, How ever an open relay is when i can connect to your system and send mail to [email protected] without authentication. If you dont want your users to get email from any where outside your network then firewall off port 25 from the internet
