-------- Original-Nachricht -------- > Datum: Fri, 4 Dec 2009 14:08:46 -0500 > Von: Carlos Williams <carlosw...@gmail.com> > An: postfix users list <postfix-users@postfix.org> > Betreff: Should Anyone Be Able To Send Telnet Email
> I was just thinking today that if anyone knew a valid email address on > my Postfix mail server, anyone could simply telnet to it (assuming > they're on a trusted network / mynetworks) and send mail posed as that > valid email address. I know this is not a huge security deal since > it's come from a client listed in the mynetworks parameter but > sometimes we have not so nice people we are forced to trust. Does this > sound correct to anyone here? Normally on any mail client you need a > username / password to send / receive email for a specific user but in > the case of Telnet or just sending, it appears this is not required. > Is there something I over looked? > I don't allow that kind of things except on localhost/127.0.0.1 where Postfix is running. All other attempts to send in the name of a user for which my Postfix system is responsible will result in a error. For example: ----------------------------- theia ~ # telnet 192.168.0.78 25 Trying 192.168.0.78... Connected to 192.168.0.78. Escape character is '^]'. 220 nyx.mydomain.tld ESMTP Postfix (2.6.5) ehlo theia.mydomain.tld 250-nyx.mydomain.tld 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:<postmas...@mydomain.tld> 553 5.7.1 <postmas...@mydomain.tld>: Sender address rejected: not logged in rset 250 2.0.0 Ok quit 221 2.0.0 Bye Connection closed by foreign host. theia ~ # ----------------------------- To have that you could use "reject_sender_login_mismatch". I have not directly used that this statement in smtpd_mumble_restrictions. I use a lookup map in which I check some exceptions and if client/sender is passing the exception then nothing is happening. Every one else gets "reject_sender_login_mismatch" as an result. This allows me to have reject_sender_login_mismatch but still have the possibility to add exceptions if needed. // Steve -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
