View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions postfix - how to block all linux users except root???
Log in to Ask a Question

postfix - how to block all linux users except root???

email

I have a postfix smtp server with sasl authentication on Ubuntu server..

I don't want anybody to send mail without being authenticated especially from php forms. Php mail function sends mail as user www-data..

But also logwatch sends mail as root which I really need.. There are also users authenticated by sasl.. They shouldn't be blocked, too..

So, are there any way to block all linux users to send mail except root?

Thanks in advance..

5 Replies

Consider this: any user can open a port 25 or 587 to any mail server and deliver mail there directly. IPTABLES can't really stop that while still allowing the mail server to work, although I believe selinux network ACLs do.

@Guspaz:

Consider this: any user can open a port 25 or 587 to any mail server and deliver mail there directly. IPTABLES can't really stop that while still allowing the mail server to work, although I believe selinux network ACLs do.

Thanks for your reply.. But, I don't think to change my linux distribution.. There should be a way through postfix's configurations..

Oh, there may well be, but my point is that you don't need to use postfix to send mail. I think I'm misunderstanding what you want to do, though. You're saying that you only want to let people send mail through your SMTP server if they're authenticated, and I think I was seeing "users" and thinking "linux users", which made me think "Linux users can send mail through other means".

I've never tried it, but maybe you are looking for this:

http://www.postfix.org/postconf.5.html# … bmit_users">http://www.postfix.org/postconf.5.html#authorizedsubmitusers

You might also need to adjust your handling of mynetworks to prevent local connections to smtp being treated as special.

Make /usr/sbin/sendmail to be only executable by root. Block outgoing connections to port 25 using iptables OUTPUT table and owner match module (–uid-owner). You are probably going to regret it.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct