5

Here is the problem: From any IP address not belonging to your mail server:

telnet me.myemailserver.com 25  

helo me.someserver.com
mail from: <yourusername@mydomain.com>
rcpt to: <yourusername@mydomain.com>
data
This is spam.  Buy my stuff.
.

I'm using Postfix. I'm having a problem finding a solution to requiring SMTP-AUTH for email claiming to be from mydomain.com.

Googling around, this guy has identified the same problem (where I cut-n-paste with some modifications) the above example from: http://www.smartertools.com/forums/t/13182.aspx

This link http://marc.info/?l=postfix-users&m=122814832915131&w=2 gets close to a solution but it has a side effect of requiring SMTP-AUTH for mail not from mydomain.com. For mail not claiming to be from mydomain.com, I would do the usual RBL and Spam filtering.

In short, I want to reject mail to local domains (mydomain.com) from outside/unauthenticated clients claiming to be from local domains (mydomain.com).

This is what I tried: I've tried both permit and reject as the default. Here is exact excerpt from my main.cf:

smtpd_recipient_restrictions = reject_unauth_pipelining,
                           permit_sasl_authenticated,
                           check_recipient_access pgsql:/etc/postfix/pgsql-recipient.cf,
                           reject_unauthenticated_sender_login_mismatch,
                           reject_unauth_destination,
                           reject_unlisted_recipient,
                           check_sender_access pgsql:/etc/postfix/pgsql-sender.cf,
                           reject_unlisted_sender,
                           reject_invalid_hostname,
                           reject_non_fqdn_hostname,
                           reject_non_fqdn_sender,
                           reject_non_fqdn_recipient,
                           reject_unknown_sender_domain,
                           reject_unknown_recipient_domain,
                           reject_rbl_client cbl.abuseat.org,
                           reject_rbl_client sbl.spamhaus.org,
                           reject_rbl_client sbl-xbl.spamhaus.org,
                           reject_rbl_client bl.spamcop.net,
                           reject_rbl_client dnsbl.njabl.org,
                           reject_rbl_client blackholes.wirehub.net,
                           reject_rbl_client relays.mail-abuse.org,
                           reject_rbl_client dialups.mail-abuse.org,
                           reject_rbl_client blackholes.mail-abuse.org,
                           reject_rhsbl_sender dsn.rfc-ignorant.org,
                           (reject and permit both tried here)
Kilo
  • 1,574

3 Answers3

4

I would try something like this:

/etc/postfix/main.cf:

smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_sender_access hash:/etc/postfix/access_table,
    ...,
    permit

/etc/postfix/access_table:

mydomain.com        REJECT You're not me!

The theory is this:

If they've authenticated already, they trigger the permit_sasl_authenticated rule and are allowed through. If they're not authenticated, it bumps along to the check_sender_access rule. If the sender domain matches "mydomain.com" the sender is rejected. (So unauthed + MAIL FROM "mydomain.com" = reject.) If it's any other domain, it continues on to the rest of your rules.

NOTE: This is untested. I would stick a warn_if_reject in front of that check_sender_access rule before trying it on a production system.

Insyte
  • 9,554
2

On one server, where I have postfix with Dovecot with auth data in MySQL I did the following in main.cf:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject
Misiek
  • 51
0

You can use SPF to avoid this problem. It will check if the IP who is trying to send the email using your domain is authorized to do it. Here is a good guide you can follow

https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

paguayo
  • 1