On 26/03/2026 15:55, Viktor Dukhovni via Postfix-users wrote:
On Thu, Mar 26, 2026 at 03:44:18PM +0100, John Fawcett via Postfix-users wrote:
Accepting mail for your own domains on port 25 is not submission, the
SMTP server cannot reasonably distinguish between an MTA sending inbound
mail and an MUA doing the same thing.
In general no, but the distinction could be made based on a sender present
in smtpd_sender_login_maps. It would need a new configuration parameter to
be able to reject mail from an unauthenticated sender where authentication
is not enabled.
Sure, but again, that's not an MUA vs. MTA distinction, rather it is a
way to reject forgery of internal envelope sender addresses by
unauthenticated clients. The simplest thing is often to just block port
25 messages with an envelope sender in your domains, the SASL does not
actually come into it.
smtpd_sender_restrictions =
check_sender_access inline:{
{ example.com = reject },
{ example.net = reject },
{ example.org = reject }
}
Applies equally to all clients, whether MTAs or MUAs.
Thanks Viktor, that covers the more general case regardless of whether
the users exist or not and seems like a good idea. I already require
authentication to submit email and have checks so that users can only
send emails as themselves or their aliases, so it would make sense to
stop forgeries arriving from outside. I remember having something
similar in my configuration in the past, but must have removed it for
some reason that now I cannot remember.
I configured it again. Just as a warning for whoever does this, I had to
poke a few holes by whitelisting email sender addresses from my domain
for emails originating on the backup email server. Since I have policy
and bounce in my notify_classes (probably should review that and rely
more on logs) I risked a spiraling quantity of undeliverable emails from
MAILER-DAEMON and the double-bounce sender.
John
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
