1

Yesterday I found that 10 thousand e-mail messages were sent through my system using this configuration:
http://pastebin.com/bThpH1s8 - main.cf
http://pastebin.com/kkxxsstP - master.cf

I temporarily blocked the whole spamer's ISP's IP range, but obviously the problem is in the Postfix configuration. 25 port is now closed, so relay tests give a negative answer.

I wonder if there anything else I could do to HAVE 25 port open and a closed relay SMTP server? Why does it allow unauthorized use?

Ernestas
  • 23
  • 6

2 Answers2

3

You allow relaying from 0/0 in main.cf main.cf

mynetworks = 0.0.0.0/0 [::/0]
smtpd_relay_restrictions = permit_mynetworks
smtpd_client_restrictions = permit_mynetworks
Tim Haegele
  • 951
  • 5
  • 13
  • Thank you. It seems that this was my problem. Now it all works perfectly, all tests passed and hopefully no more spamming. – Ernestas Jan 04 '13 at 10:11
1

Under smtpd_client_restrictions (and also smtpd_relay_restrictions and smtpd_recipient_restrictions) you have permit_mynetworks but you also have mynetworks = 0.0.0.0/0 [::/0]. This allows any IP address to ignore these restrictions and send mail through your mail server.

You should change mynetworks to only list trusted IPs.

If you intend to receive mail for your domain and store it, you should also have permit_auth_destination in your smtpd_recipient_restrictions.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • `smtpd_recipient_restrictions` must contain at least one reject_* restriction, or postfix will not accept it. The default of `permit_mynetworks, reject_unauth_destination, permit` accomplishes this, i.e. you cannot simply switch to `permit_auth_destination`. The full discussion is long, so I won't put it here; consult the documentation for issues with too broad permit_* restrictions. – adaptr Jan 04 '13 at 10:39
  • I wouldn't suggest *replacing* the existing `smtpd_recipient_restrictions` with just `permit_auth_destination` but rather adding it to the existing one. Replacing it would cause Postfix to stop working. The output of `postconf -d permit_auth_destination` doesn't contain `permit`. Is there an implicit `permit` that's not listed? – Ladadadada Jan 04 '13 at 10:47
  • There is both an implied default permit, and a hard rule on which type of restrictions *must* appear, as I said above. – adaptr Jan 04 '13 at 10:51