> On Jul 24, 2018, at 1:31 PM, Software Information
> <[email protected]> wrote:
>
> I have my postfix server up and running now for some time. Recently though,
> auditors made a deal that the server is an open relay.
If there are systems on your network that need to use the machine as a
smarthost for outbound mail, and it is not practical to enable SASL or
TLS client certificate authentication, then allowing all systems on your
internal network to send email is not considered unreasonable. You can
don't generally have to make changes in response to every finding by your
auditors, documenting the reason why you accept the status-quo is likely
sufficient.
> What's the best way to change this behavior?
If the various and sundry systems on your LAN don't need to send email
to the public Internet, you could by default restrict them to send email
only to your own domains, and make specific exceptions for authenticated
clients and/or particular hosts.
> For example, is there a way to configure postfix to accept mail from say
> two domains, test.net and test.com but no other?
Limiting sender domains does not close an open relay. Open relaying
is about being to send to *any* recipient, rather than being able to
send as any sender.
What do your auditors mean when *they* say "open relay"? If they
mean the ability to send from remote domains, you could perhaps
limit outbound mail to just envelope senders in your own domains,
but keep in mind that this will not prevent external addresses
in the message "From:" or "Resent-From:" headers.
--
Viktor.
