Mail security
1) Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)? Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface?
2) I ran a mail relay checker on my server and got the following results.. anything I should be worried about?
requires HELO NO
allows VRFY username verification NO
allows EXPN forwarding expansion NO
allows bogus From: header YES
allows simple mail relaying NO
may allow UUCP mail relaying NO
allows other mail relaying NO
can mail to postmaster NO
can mail to webmaster NO
can mail to abuse (RFC 2142) NO
Thanks
Dave
2 Replies
@Daveo:
Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)?
Look into the "mynetworks" or "mynetworks_style" settings. In general though if you are running a mailserver on a linode you will only want to allow unauthenticated outgoing mail from localhost. Outgoing mail should otherwise be restricted to only SASL-authenticated clients.
> Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface?
If you are using SASL auth to control outgoing mail, then in your main.cf set "smtpdsaslauthenable = no", and then in master.cf make sure that any service(s) from which you want to allow outgoing mail have "-o smtpdsaslauthenable=yes".
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
seems to do what I want (only able to send from the VPN, and even then only when authenticated). I can't see in my settings why RCPT TO from outside mynetworks is being denied, I guess it's a default setting?
I couldn't get SSL to work at all (client just hangs waiting for a connection) even though I'm pretty sure I had smtps running ok.
When I was trying to set it up to allow SSL on the VPN only, I got a lot of complaints in the log file along the lines of:
fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
What I was trying to do was to specify really restrictive stuff in main.cf:
smtpd_recipient_restrictions = reject_unauth_destination
..then make smtps allow connections only from local clients and relay only from sasl authenticated clients (to enforce both requirements):
-o smtpd_client_restrictions=permit_mynetworks
-o smtpd_recipient_restrictions=permit_sasl_authenticated, reject_unauth_destination
..but it just wouldn't work, I have no idea why not!
Anyway, it seems to be relatively secure, so I'm going to move on to antispam settings