On Tue, Apr 06, 2010 at 01:21:26PM -0800, M M wrote:
> [...] my server is an open relay according to online tests.
>
> mynetworks = 127.0.0.1/8, 198.100.50.0/24
Make sure external clients are not NAT translated into this address space.
> virtual_mailbox_domains =
> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
Make sure this table does not match all lookup keys, report the output of:
$ postmap -q a.test mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
> virtual_alias_maps =
> mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
Make sure this table does not match all lookup keys, report the output of:
$ postmap -q a.test \
mysql:/etc/postfix/mysql-virtual-alias-maps.cf \
mysql:/etc/postfix/mysql-email2email.cf
> smtpd_recipient_restrictions =
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> reject_unauth_destination,
> permit_sasl_authenticated,
> reject_unauth_pipelining,
The "permit_sasl_authenticated" is pretty useless after
"reject_unauth_destination". With this, the only way for you to be an
"open relay" (show logs of messages you accepted that should not have
been accepted) is if mynetworks is wrong (NAT?) or the domain lists
(mydestination, virtual_alias_domains, virtual_mailbox_domains, ...)
are wrong. My bet is on misconfigured SQL queries.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
