Catalin Badirca <badi...@yahoo.com> wrote: > I will try to be more specific. Create an test account that can > send emails from postfix.
Send THROUGH Postfix is more accurate wording than send FROM. Also, creation of the account does not matter. By default there is no checking of sender addresses. > Telnet on the postfix machine on port 25. Now send an email from > that test account to any other valid email on your domain. You will > see that you are allowed to do so without authentication. The whole > world can do that. I don't think you will want emails to be sent on > your user's behalf inside your domain. Less common now than in years past, but there are still some legitimate reasons why this can happen. Anyway, now your goal is clear. > Is there any way postfix can stop that ? On Wed, May 18, 2016 at 09:07:44PM +0200, Sebastian Nielsen wrote: > Yes. > Remove permit_sasl_authenticated and permit_mynetworks. > Then add the following rule instead, immediately BEFORE > reject_unauth_destination: > check_sender_access hash:/etc/postfix/relay_auth > > Inside the file relay_auth, which must be postmap:ed, you have the > following: > > yourdomain.com: permit_sasl_authenticated, reject Two errors in that. First, the colon is wrong. Second, multiple results are not possible except when using restriction classes (and then, the result is still single: it's the name of the class.) The OP continues to ask this question after it has been answered. Refer back to Wietse's example given yesterday. It was missing from my prior post because the actual goal, to prevent receipt of mail claiming to be from users@$mydomain from outside, was not yet clear. However, I still recommend separation of inbound mail exchange from user-submitted mail, and this matter becomes more simple: just don't accept senders@$mydomain on port 25. > This means when a outsider tries to send from lets say > t...@yourdomain.com to someot...@yourdomain.com without > authentication, the rule evaluated will be: > " permit_sasl_authenticated, reject, reject_unauth_destination" Again, this can only happen with restriction classes. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
