I've been running Postfix for many years now (so thanks to Wietse and all the others who have put in hard work to make it such a great mail system) and recently I built a new mail server and copied most of the config files from the old one.
After a couple of months, I began to notice that it appeared to be getting used (infrequently) as an open relay, despite my attempts to lock it down so that couldn't happen. Then, the problem got worse. The one pattern I noticed was that all the messages had forged senders that were from my domain (e.g., bogussen...@mydomain.com). I've poured through the documentation, and a couple of times thought I found the answer, only to make a change and have it not work. My band-aid (while researching the real solution) has been to firewall off access from IP address ranges that were the sources of the email. But to be clear, that's only a band-aid until a real solution is in place. The two config parameters that seem most relevant to the problem are listed below: (from postconf -n) *smtpd*_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unauth_destination check_recipient_access regexp:/etc/postfix/recipient_checks.regexp, check_recipient_access hash:/etc/postfix/recipient_checks, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client domain-name, permit (and from postconf -d) *smtpd*_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination What's really confounding me is that it seems to be (properly) rejecting all relay email except those that have mydomain.com in their from address. Adding to that confusion is that this same set of config parameters used to work fine on the old system, so I've also been looking at relevant defaults that changed. Unfortunately, I'm coming up dry at this point. Any help or pointers would be greatly appreciated. Thanks. -- Stephen Stephen McHenry
