Mail security

Hi again, a couple more questions please!

1) Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)? Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface?

2) I ran a mail relay checker on my server and got the following results.. anything I should be worried about?

requires HELO     NO
allows VRFY username verification     NO
allows EXPN forwarding expansion     NO
allows bogus From: header     YES
allows simple mail relaying     NO
may allow UUCP mail relaying     NO
allows other mail relaying     NO
can mail to postmaster     NO
can mail to webmaster     NO
can mail to abuse (RFC 2142)     NO

Thanks :)

Dave

2 Replies

@Daveo:

Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)?
Look into the "mynetworks" or "mynetworks_style" settings. In general though if you are running a mailserver on a linode you will only want to allow unauthenticated outgoing mail from localhost. Outgoing mail should otherwise be restricted to only SASL-authenticated clients.

> Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface?
If you are using SASL auth to control outgoing mail, then in your main.cf set "smtpdsaslauthenable = no", and then in master.cf make sure that any service(s) from which you want to allow outgoing mail have "-o smtpdsaslauthenable=yes".

Hmm.. I spent a lot of time fiddling around with settings trying to get it to work, but it seems for some reason I can only send from mynetworks anyway, and so that in combination with smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination seems to do what I want (only able to send from the VPN, and even then only when authenticated). I can't see in my settings why RCPT TO from outside mynetworks is being denied, I guess it's a default setting?

I couldn't get SSL to work at all (client just hangs waiting for a connection) even though I'm pretty sure I had smtps running ok.

When I was trying to set it up to allow SSL on the VPN only, I got a lot of complaints in the log file along the lines of:

fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

What I was trying to do was to specify really restrictive stuff in main.cf:

smtpd_recipient_restrictions = reject_unauth_destination

..then make smtps allow connections only from local clients and relay only from sasl authenticated clients (to enforce both requirements):

-o smtpd_client_restrictions=permit_mynetworks
-o smtpd_recipient_restrictions=permit_sasl_authenticated, reject_unauth_destination

..but it just wouldn't work, I have no idea why not!

Anyway, it seems to be relatively secure, so I'm going to move on to antispam settings :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct