On 3/11/2013 11:17 PM, Alex wrote: > Hi, > > I have a really old system with an early version of postfix on it, but > I'm not sure the version really matters for my problem. I'm attempting > to use a pop-before-smtp hash as a way of providing authentication > prior to being able to use the server to send mail. However, it > doesn't appear to be working. I can telnet directly to port 25 from a > remote host and send mail to a local recipient on that server without > having authenticated through the pop-before-smtp system first.
This is normal operation for a general-purpose mail server. Mail to local users can be received from anywhere (subject to spam controls). Only authorized users can relay to a third-party destinations. This is a typical setup for an internet-facing mail server. > > Isn't that the point? Or is it to just prevent relaying? In any case, > I'd like to block that capability, else a spammer can connect to the > system and send spam to all recipients unrestricted. This is a "closed" system than can only receive mail from authorized users and other per-authorized sources. This is typically used on a private network or a server that receives mail only from a limited number of upstream hosts. > I'm working on > upgrading the server to use SMTP Auth, and only allowing port 25 from > trusted relays, but it's a long process. We'll be pleased to help. It's best if you start by describing the overall goal rather than how to implement some particular feature. I recommend dovecot for SMTP AUTH because it works well and is very easy to set up. Using SMTP AUTH also pretty much requires using TLS too, to prevent eavesdropping of credentials. > I've included my postconf below and really hoped someone could help me > make sense of it. > > alias_database = hash:/etc/postfix/aliases > alias_maps = hash:/etc/postfix/aliases, hash:/etc/postfix/aliases.ecartis > always_bcc = mail-archive best to always fully-qualify mail addresses to prevent surprises. mail-arch...@example.com or whatever. > relay_domains = $mydestination, prop.example.com relay_domains is for domains delivered somewhere else, such as a downstream mail store. If this mail is delivered locally on this server, set relay_domains empty. relay_domains = > relayhost = > sample_directory = /etc/postfix/samples > sender_canonical_maps = > sendmail_path = /usr/sbin/sendmail > setgid_group = postdrop > smtpd_client_restrictions = reject_maps_rbl This is antique syntax. Please see the reject_rbl_client directive. http://www.postfix.org/postconf.5.html#reject_rbl_client If your postfix is so old that it doesn't have reject_rbl_client, your support contract is terminated until you upgrade. > smtpd_recipient_restrictions = reject_non_fqdn_sender > reject_non_fqdn_recipient check_client_access > hash:/etc/postfix/client_blocklist check_client_access > pcre:/etc/postfix/fqrdns.pcre check_sender_access > hash:/etc/postfix/sender_blocklist > permit_mynetworks check_client_access > hash:/etc/postfix/pop-before-smtp check_client_access > hash:/etc/postfix/client_checks check_sender_access > hash:/etc/postfix/sender_checks reject_unauth_destination > reject_invalid_hostname reject_non_fqdn_hostname > reject_unknown_sender_domain check_client_access > hash:/etc/postfix/client_checks check_client_access > pcre:/etc/postfix/client_checks.pcre check_recipient_access > pcre:/etc/postfix/recipient_checks check_helo_access > hash:/etc/postfix/helo_checks check_sender_access > hash:/etc/postfix/sender_checks check_sender_access > hash:/etc/postfix/disallow_my_domain check_recipient_access > pcre:/etc/postfix/recipient_checks.pcre check_recipient_access > pcre:/etc/postfix/local_recip_map > Looks like a lot of duplicated checks there. Checks are evaluated in the order you specify until either a permit/OK or REJECT is encountered. -- Noel Jones
