SMTP Authentication for Local Domain in Postfix
Dear friends, I have problem with my postfix configuration, I have enable SASL for postfix and now authentication works well for my clients but right now anyboy can send email from my local domain to local domain without authentication and cause of that I have lots of attacks. How can I force that if sender is my localdomain it must authenticate?! Here is my postfix configuration: main.cf: smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, smtpd_helo_restrictions = permit_mynetworks, #reject_non_fqdn_hostname, reject_invalid_hostname smtpd_sender_restriction = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access_table reject_unknown_sender_domain, reject_non_fqdn_sender smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_unauth_destination, check_policy_service unix:private/policy-spf, permit
master.cf: smtp inet n - - - - smtpd
-o content_filter=spamassassin submission inet n - - - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o content_filter=spamassassin smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
access_table: mydomain.com REJECT You're not me! Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Hi Shahab, Your mistake is highlighted below, the order of *smtpd_sender_restriction* is such that you are permitting local delivery to your network before sasl authentication. In my config I removed it and only have it in * smtpd_recipient_restrictions* and then only after sasl authentication has been confirmed. D. On 15 August 2013 12:45, Shahab Vahabzadeh <sh.vahabzadeh@gmail.com> wrote:
smtpd_sender_restriction =
*permit_mynetworks,* permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access_table reject_unknown_sender_domain, reject_non_fqdn_sender
-- blaze your trail -- Daniël W. Crompton <daniel.crompton@gmail.com> <https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/9c8fce98bbc355155ff591c8c4d3294a?ytl=http%3A%2F%2Fspecialbrands.net%2F> <https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/cc9b3750556f40b371120db27da84d11?ytl=http%3A%2F%2Fspecialbrands.net%2F> http://specialbrands.net/<https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/33a803ba48245f2276f8943967dbf30e?ytl=http%3A%2F%2Fspecialbrands.net%2F> <https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/339a2b8408365402f2b9e59e6fdbe2e6?ytl=http%3A%2F%2Ftwitter.com%2Fwebhat><https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/6c8846d4630a6a1ebaacdc40b89e581f?ytl=http%3A%2F%2Fwww.facebook.com%2Fwebhat><https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/56449b71c495a3b3a42c3aac78e5fe9f?ytl=http%3A%2F%2Fplancast.com%2Fwebhat><https://app.yesware.com/tl/9c9e8bb890b2c61ccf5ccb1efbfd0ea222e4bce5/2b6126186c37cd18734057f92f930bce/f3abd8021c37d45a3b07299253bbe6fe?ytl=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fredhat>
participants (2)
-
Daniël W. Crompton
-
Shahab Vahabzadeh