Re: [expert] "Open relay" using Postfix. Need config help.
Am Donnerstag, 26. Juni 2003 17:35 schrieb Ralph Crongeyer: > 'netstat -napt' doesn't reveal anything odd. > Ok so when I have > smtpd_recipient_restrictions = permit_mynetworks, check_recepient_access > hash:/etc/postfix/access, check_relay_domains > > It will relay for any host. Even if the /etc/postfix/access is empty (no IP > addresses). No, It will not relay for any host. Not by default. so what is in mynetworks and what is in relay_domains. Or simply, add the output from postconf -n > > I thought that the "/etc/postfix/access" files list of address would only > permit those machines to relay e-mail??? Is this right?? Not entirely. It allows receiving mails too. The restriction classes are somwhat difficult. > > Here is my situation. I need to have the mail server accept e-mail for the > entire domain but only allow certin clients (or routers, for networks that > masqurade ip addresses) to relay e-mail through the server. So take the default postfix configuration, change the mydestination to accept your domain mails, change the mynetworks and mynetworks_style to accept mails on any network devices you plug in your host, add permit_sasl_authenticated to your recipient restriction and add smtpd_sasl_* stuff to main.cf. Now you have to give usernames and passwords (via saslpasswd if you want to use sasldb) to your users you want to relay and up it goes. Beware, user password are mostly send unencrypted over the net, so use SSL/TLS encryption with postfix. > > Thanks Ralph Martin -- H E L I X Gesellschaft für Software & Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [expert] "Open relay" using Postfix. Need config help.
On September 1993 plus 3585 days Praedor Atrebates wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I was under the impression that postfix, by default, didn't work/operate as an > open relay. Does one actually need to alter the config to stop postfix > working as an open relay? No, one needs to alter the config to *start* postfix as an open relay. By default is a closed server that only accepts mail from localhost. Vox -- Think of the Linux community as a niche economy isolated by its beliefs. Kind of like the Amish, except that our religion requires us to use _higher_ technology than everyone else. -- Donald B. Marti Jr. pgp0.pgp Description: PGP signature
Re: [expert] "Open relay" using Postfix. Need config help.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was under the impression that postfix, by default, didn't work/operate as an open relay. Does one actually need to alter the config to stop postfix working as an open relay? I am not presently running postfix, though I have in the past and will likely again, but I considered it rock-safe wrt open relaying. praedor On Thursday 26 June 2003 07:37 am, Martin Fahrendorf wrote: > Am Donnerstag, 26. Juni 2003 13:28 schrieb Pierre Fortin: > > On Thu, 26 Jun 2003 07:40:35 +0200 Martin Fahrendorf > > > > <[EMAIL PROTECTED]> wrote: > > > Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer: > > > > smtpd_recipient_restrictions = permit_mynetworks, > > > > check_client_access, hash:/etc/postfix/access, check_relay_domains > > > > > > Btw: does your smtpd_recipient_restrictions relay look like the list > > > above? There should be a warning or an error in the logfiles (in > > > /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions > > > should look like this (there is no comma between check_client_access > > > and the hash table) : [...] > > No, both forms are OK -- though it's easier to make mistakes with the > > comma separated list. The "leading space" form is better IMO, cleaner > > (then again, I prefer Python). IIRC, don't put comments in the middle > > though... > > Jep, thats right. Postfix treats commas like whitespaces. But nevertheless, > the given restriction does not work (there must be a warning or a error > from postfix). You can not continue one line without a leading whitspace in > the continued line. But I think that is only a mailer issue (word wrap). > > Martin - -- Not a single 9/11 terrorist came from Iraq, nor did a single one train in Iraq. Iraq had NOTHING to do with 9/11. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE++0LzaKr9sJYeTxgRAohLAJ4pltCxAS2bOypKzw3BnApz6BsuOgCgjU8T tQ3xb1lf0dMogh8JdSDrM1I= =OFPF -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
'netstat -napt' doesn't reveal anything odd. Ok so when I have smtpd_recipient_restrictions = permit_mynetworks, check_recepient_access hash:/etc/postfix/access, check_relay_domains It will relay for any host. Even if the /etc/postfix/access is empty (no IP addresses). I thought that the "/etc/postfix/access" files list of address would only permit those machines to relay e-mail??? Is this right?? Here is my situation. I need to have the mail server accept e-mail for the entire domain but only allow certin clients (or routers, for networks that masqurade ip addresses) to relay e-mail through the server. Thanks Ralph On Thursday 26 June 2003 09:36 am, Martin Fahrendorf wrote: > Am Donnerstag, 26. Juni 2003 15:23 schrieb Ralph Crongeyer: > > Thanks for the tip, i'll try it. > > > > BTW, I can stop Postfix uninstall it and can still relay e-mail!!! > > What the heck is that all about? I mean imap shouldn't relay messages, > > right?? It's like there is another MTA running? > > > > Ralph > > Check ich a server is running. 'netstat -napt' will tell you all open > ports. > > Martin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
Thanks for the tip, i'll try it. BTW, I can stop Postfix uninstall it and can still relay e-mail!!! What the heck is that all about? I mean imap shouldn't relay messages, right?? It's like there is another MTA running? Ralph On Wednesday 25 June 2003 05:39 pm, Miark wrote: > I'm not a Postfix guru, but I know that on my simple setup relay access is > governed by mynetworks. Try messing with it. > > Miark > > > On Wed, 25 Jun 2003 12:11:50 -0400 > > Ralph Crongeyer <[EMAIL PROTECTED]> wrote: > > On Wednesday 25 June 2003 11:37 am, Miark wrote: > > > > It's not set. Default I guess? > > > > > mynetworks is set to what? > > > > > > Miark > > > > > > On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer > > > <[EMAIL PROTECTED]> > > > > wrote: > > > > But now, with this setup, anyone can send mail through? i.e. "Open > > > > Relay". > > > > > > > > I need it to be able to send mail for the entire domain and some > > > > clients outside the domain. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
Am Donnerstag, 26. Juni 2003 15:23 schrieb Ralph Crongeyer: > Thanks for the tip, i'll try it. > > BTW, I can stop Postfix uninstall it and can still relay e-mail!!! > What the heck is that all about? I mean imap shouldn't relay messages, > right?? It's like there is another MTA running? > > Ralph > Check ich a server is running. 'netstat -napt' will tell you all open ports. Martin -- H E L I X Gesellschaft für Software & Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [expert] "Open relay" using Postfix. Need config help.
Am Donnerstag, 26. Juni 2003 13:28 schrieb Pierre Fortin: > On Thu, 26 Jun 2003 07:40:35 +0200 Martin Fahrendorf > > <[EMAIL PROTECTED]> wrote: > > Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer: > > > smtpd_recipient_restrictions = permit_mynetworks, check_client_access, > > > hash:/etc/postfix/access, check_relay_domains > > > > Btw: does your smtpd_recipient_restrictions relay look like the list > > above? There should be a warning or an error in the logfiles (in > > /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions > > should look like this (there is no comma between check_client_access and > > the hash table) : > > > > smtpd_recipient_restrictions = > > reject_unknown_recipient_domain > > reject_unknown_sender_domain > > reject_non_fqdn_sender > > reject_non_fqdn_recipient > > permit_mynetworks > > check_client_access hash:/etc/postfix/access > > reject_unauth_destination > > No, both forms are OK -- though it's easier to make mistakes with the > comma separated list. The "leading space" form is better IMO, cleaner > (then again, I prefer Python). IIRC, don't put comments in the middle > though... Jep, thats right. Postfix treats commas like whitespaces. But nevertheless, the given restriction does not work (there must be a warning or a error from postfix). You can not continue one line without a leading whitspace in the continued line. But I think that is only a mailer issue (word wrap). Martin -- H E L I X Gesellschaft für Software & Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [expert] "Open relay" using Postfix. Need config help.
On Thu, 26 Jun 2003 07:40:35 +0200 Martin Fahrendorf <[EMAIL PROTECTED]> wrote: > Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer: > > smtpd_recipient_restrictions = permit_mynetworks, check_client_access, > > hash:/etc/postfix/access, check_relay_domains > Btw: does your smtpd_recipient_restrictions relay look like the list > above? There should be a warning or an error in the logfiles (in > /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions > should look like this (there is no comma between check_client_access and > the hash table) : > > smtpd_recipient_restrictions = > reject_unknown_recipient_domain > reject_unknown_sender_domain > reject_non_fqdn_sender > reject_non_fqdn_recipient > permit_mynetworks > check_client_access hash:/etc/postfix/access > reject_unauth_destination No, both forms are OK -- though it's easier to make mistakes with the comma separated list. The "leading space" form is better IMO, cleaner (then again, I prefer Python). IIRC, don't put comments in the middle though... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer: Hi Ralph, > Hi all, > > I have been using postfix for about a year or so and I needed to change my > configuration and now I can't seem to get it working the same way I had it. > > At the end of my /etc/postfix/main.cf file I have: > > mydestination = $myhostname, localhost.$mydomain, $mydomain > myorigin = $mydomain > smtpd_recipient_restrictions = permit_mynetworks, check_client_access, > hash:/etc/postfix/access, check_relay_domains > > and then in the /etc/postfix/access I have: > > 111.222.333.444 OK > 222.333.444.555 OK > > and so on. > > But now, with this setup, anyone can send mail through? i.e. "Open Relay". No, normaly not (if all your listed IP addresse ar static to the hosts you want to relay). > > I need it to beable to send mail for the entire domain and some clients > outside the domain. The entire domain is matched by the mynetwork stuff. the outsiders should use smtp-auth. > > Ralph Don't use access-file to allow relaying unless the IP addresses you listed are absolute static. Use smtp auth instead. This is more flexible and users from dynamic IP addresses can relay through you mailserver too. Btw: does your smtpd_recipient_restrictions relay look like the list above? There should be a warning or an error in the logfiles (in /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions should look like this (there is no comma between check_client_access and the hash table) : smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_unknown_sender_domain reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks check_client_access hash:/etc/postfix/access reject_unauth_destination and did you rehash the access file? Martin -- H E L I X Gesellschaft für Software & Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [expert] "Open relay" using Postfix. Need config help.
On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> wrote: > Hi all, > > I have been using postfix for about a year or so and I needed to change > my configuration and now I can't seem to get it working the same way I > had it. > > At the end of my /etc/postfix/main.cf file I have: > > mydestination = $myhostname, localhost.$mydomain, $mydomain > myorigin = $mydomain > smtpd_recipient_restrictions = permit_mynetworks, check_client_access, > hash:/etc/postfix/access, check_relay_domains > > and then in the /etc/postfix/access I have: > > 111.222.333.444 OK > 222.333.444.555 OK > > and so on. > > But now, with this setup, anyone can send mail through? i.e. "Open > Relay". > > I need it to beable to send mail for the entire domain and some clients > outside the domain. > > Ralph See my page at http://pfortin.com/Linux/PostFix/ -- it needs some updating; but you may find the answer there... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
I'm not a Postfix guru, but I know that on my simple setup relay access is governed by mynetworks. Try messing with it. Miark On Wed, 25 Jun 2003 12:11:50 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> wrote: > On Wednesday 25 June 2003 11:37 am, Miark wrote: > > It's not set. Default I guess? > > > mynetworks is set to what? > > > > Miark > > > > On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> > wrote: > > > But now, with this setup, anyone can send mail through? i.e. "Open > > > Relay". > > > > > > I need it to be able to send mail for the entire domain and some clients > > > outside the domain. > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
On Wednesday 25 June 2003 11:37 am, Miark wrote: It's not set. Default I guess? > mynetworks is set to what? > > Miark > > On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> wrote: > > But now, with this setup, anyone can send mail through? i.e. "Open > > Relay". > > > > I need it to be able to send mail for the entire domain and some clients > > outside the domain. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] "Open relay" using Postfix. Need config help.
mynetworks is set to what? Miark On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> wrote: > But now, with this setup, anyone can send mail through? i.e. "Open Relay". > > I need it to be able to send mail for the entire domain and some clients > outside the domain. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com