how do I enable outbound mail but not inbound?
We're running a website on a linode and it sends some transactional mail, with bulk email going through Sparkpost. The org's email is on a different system. I notice in the syslog that there are some messages indicating it might be good to tighten up the server:
May 3 08:16:43 mydomain postfix/smtpd[4541]: connect from unknown[134.209.9.11]
May 3 08:16:44 mydomain postfix/smtpd[4541]: NOQUEUE: reject: RCPT from unknown[134.209.9.11]: 454 4.7.1 relaytest@nmap.scanme.org: Relay access denied; from=<> to=relaytest@nmap.scanme.org proto=ESMTP helo=<nmap.scanme.org>
May 3 08:16:44 mydomain postfix/smtpd[4541]: NOQUEUE: reject: RCPT from unknown[134.209.9.11]: 454 4.7.1 relaytest@nmap.scanme.org: Relay access denied; from=antispam@nmap.scanme.org to=relaytest@nmap.scanme.org proto=ESMTP helo=<nmap.scanme.org></nmap.scanme.org></nmap.scanme.org>
So it looks like it is trying to use the server as an open relay, and we have had trouble in recent months with blacklisting.
We didn't really change the default config of the linode when it was commissioned. What should be turned off to prevent this, and what needs to be kept running in order to send things like password resets for the CMS?
1 Reply
Looks like:
- Your mail server is listeninng on "all" interfaces - including public facing ones like
eth0…
… whereas for "send things like password resets" it only really needs to listen on "localhost" (aka "loopback" or "127.0.0.1").
There is either no firewall or it's set to allow inbound connections to port 25.
But it is properly configured in the sense that it does block those attempts at using it as an open relay.
So those are the things I'd check:
- Postfix
You can restrict the interfaces in /etc/postfix/main.cf with:
inet_interfaces = loopback-only
- Firewall
I don't know what distro / firewall you're using, but for Debian / Ubuntu the usual firewall is called ufw.
If you don't have it installed it's probably a good idea to do so.
If you do, I'd recommend checking its rules with ufw status and deleting the rule(s) which allow connections from the outside to port 25 (and you'll probably want to not allow ports 587 and 465, also used by SMTP).