Hello dears, I followed this guide https://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3 to install my server 3 years ago. Since now all has gone without issues. Now I'm facing a spam problem For a reason I couldn't understand, external users(foreign ips and servers) are able to spam my internal mailboxes without authentication. Here is a PoC using telnet from another server: Code: $telnet host01.myhost.ch 25 Trying 5.9.136.72... Connected to host01.myhost.ch. Escape character is '^]'. 220 host01.myhost.ch ESMTP Postfix (Ubuntu) helo localhost 250 host01.myhost.ch mail from:[email protected] 250 2.1.0 Ok rcpt to:[email protected] 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> test . 250 2.0.0 Ok: queued as 06F4223420D6 quit 221 2.0.0 Bye Connection closed by foreign host. Here is the /etc/postfix/main.cf file Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = host01.myhost.ch alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = host01.myhost.ch, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 #mynetworks = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, reject_unknown_sender_domain smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_tls_security_level = may transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt Any suggestions? I would like that anyone who want to use my server as smtp have to authenticate Thank you very much!
You did made a mistake in your test, to test if a server is a open relay you have to use an external address like a gmail address as to address and not a local address as your server ahs to accept all emails to a local address, otherwise you won't receive any mail at all. To test your server, use e.g. mxtoolbox. http://mxtoolbox.com/diagnostic.aspx
Hi Till, thank you for the reply. No my server is not an open relay, but anyone without authentication can use it to spam adresses hosted in the server.... The big problem is that some of the spammed addresses have set "Automatic send copy" to gmail and hotmail, and they are not so happy... It's there a way to prevent this, I mean using postfix only with authentication? Thank you, I'm glad you have the time to answer
What you demand makes no sense as it would disable receiving completely for all email addresses on your server and I guess that's not what you want. Please rethink what you are asking for, if a password would be required to send an email to one of the addresses on your server, then you would have to send a letter with a username and password by (post) mail to anyone up front before he could send you an email.
Hm... ok, I see what you are saying! Like saying that when a johndoe@gmail dot com uses gmail's smtp to mail me, then this smtp doesn't have to authenticate to my postfix to send a mail to one of my mailbox (on my server). Hm... so it sounds like regular spam? Do you think, then, that my postfix (main.cf) configuration has some issues?
Yes. What we call spam is just mail that we don't want, such an email is technically not different from any other email that you like to receive. To filter out spam we can e.g. say that we don't want to accept emails from some servers (aka MX blacklists), that we test if the sending server is allowed to send for this domain (spf/dkim) or we try to find out if an email is spam by inspecting its content with keyword lists, bayes filters etc. lile amavis/spamassassin are doing it on your server. Your postfix main.cf looks generally fine. To improve spam filtering you could add some rbl's to smtpd_recipient_restrictions.
Thank you till for your precious help and advices! Really appreciated! I will try to implement some blacklisting and spf verification! Best, Qlimax
