On Tue, 22 Jan 2019 at 06:22, Stephen McHenry <stephen.mche...@gmail.com> wrote:
> I've been running Postfix for many years now (so thanks to Wietse and all > the others who have put in hard work to make it such a great mail system) > and recently I built a new mail server and copied most of the config files > from the old one. > > After a couple of months, I began to notice that it appeared to be getting > used (infrequently) as an open relay, despite my attempts to lock it down > so that couldn't happen. Then, the problem got worse. The one pattern I > noticed was that all the messages had forged senders that were from my > domain (e.g., bogussen...@mydomain.com). > > I've poured through the documentation, and a couple of times thought I > found the answer, only to make a change and have it not work. My band-aid > (while researching the real solution) has been to firewall off access from > IP address ranges that were the sources of the email. But to be clear, > that's only a band-aid until a real solution is in place. > > The two config parameters that seem most relevant to the problem are > listed below: > (from postconf -n) > > *smtpd*_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, permit_auth_destination, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unknown_sender_domain, > reject_unknown_recipient_domain, reject_unauth_destination, > reject_unlisted_recipient, reject_unauth_destination check_recipient_access > regexp:/etc/postfix/recipient_checks.regexp, check_recipient_access > hash:/etc/postfix/recipient_checks, reject_unauth_pipelining, > reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client > domain-name, permit > > > (and from postconf -d) > > *smtpd*_relay_restrictions = permit_mynetworks, > permit_sasl_authenticated, defer_unauth_destination > > What's really confounding me is that it seems to be (properly) rejecting > all relay email except those that have mydomain.com in their from > address. Adding to that confusion is that this same set of config > parameters used to work fine on the old system, so I've also been looking > at relevant defaults that changed. Unfortunately, I'm coming up dry at this > point. > > Any help or pointers would be greatly appreciated. > I think you are just lucky that this didn't happen till now. Note that postconf -d just shows the defaults, not what you are using. My approach (a typical one I think) is to block all emails with envelope sender @mydomain.com unless the client has authenticated via port 465 or 587: master.cf: #note - smtps is port 465 465 inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_authenticated #submission=port 587 587 inet n - y - - smtpd -o smtpd_tls_security_level=encrypt -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_authenticated main.cf: ... # for authenticated senders only smtpd_recipient_restrictions_authenticated = # make the implicit permit explicit permit # for all others smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_access ... ... sender_access: ... mydomain.com REJECT privileged domain without authentication ... Note: this stops fake envelope sender using domain.com, but does not stop fake 'From:' header using domain.com; for the latter I use DMARC. I also use header_checks to detect fakes such as From: domi...@mydomain.com < fakesen...@fakedomain.com>.