Hi. Thanks for replying. Let's say my internal domain is test.com. I can telnet to the server and send an email as [email protected] out to anyone on the internet. They have a problem with that. So I thought maybe I could fix this by configuring the server to only accept outgoing mail from [email protected]. Not sure if that is best of there is a better way.
On Wed, Jul 25, 2018 at 8:42 AM, Viktor Dukhovni <[email protected] > wrote: > > > > On Jul 24, 2018, at 1:31 PM, Software Information < > [email protected]> wrote: > > > > I have my postfix server up and running now for some time. Recently > though, auditors made a deal that the server is an open relay. > > If there are systems on your network that need to use the machine as a > smarthost for outbound mail, and it is not practical to enable SASL or > TLS client certificate authentication, then allowing all systems on your > internal network to send email is not considered unreasonable. You can > don't generally have to make changes in response to every finding by your > auditors, documenting the reason why you accept the status-quo is likely > sufficient. > > > What's the best way to change this behavior? > > If the various and sundry systems on your LAN don't need to send email > to the public Internet, you could by default restrict them to send email > only to your own domains, and make specific exceptions for authenticated > clients and/or particular hosts. > > > For example, is there a way to configure postfix to accept mail from say > > two domains, test.net and test.com but no other? > > Limiting sender domains does not close an open relay. Open relaying > is about being to send to *any* recipient, rather than being able to > send as any sender. > > What do your auditors mean when *they* say "open relay"? If they > mean the ability to send from remote domains, you could perhaps > limit outbound mail to just envelope senders in your own domains, > but keep in mind that this will not prevent external addresses > in the message "From:" or "Resent-From:" headers. > > -- > Viktor. > >
