SMTP-AUTH required for local domains?

Question

Here is the problem: From any IP address not belonging to your mail server:

telnet me.myemailserver.com 25  

helo me.someserver.com
mail from: <yourusername@mydomain.com>
rcpt to: <yourusername@mydomain.com>
data
This is spam.  Buy my stuff.
.

I'm using Postfix. I'm having a problem finding a solution to requiring SMTP-AUTH for email claiming to be from mydomain.com.

Googling around, this guy has identified the same problem (where I cut-n-paste with some modifications) the above example from: http://www.smartertools.com/forums/t/13182.aspx

This link http://marc.info/?l=postfix-users&m=122814832915131&w=2 gets close to a solution but it has a side effect of requiring SMTP-AUTH for mail not from mydomain.com. For mail not claiming to be from mydomain.com, I would do the usual RBL and Spam filtering.

In short, I want to reject mail to local domains (mydomain.com) from outside/unauthenticated clients claiming to be from local domains (mydomain.com).

This is what I tried: I've tried both permit and reject as the default. Here is exact excerpt from my main.cf:

smtpd_recipient_restrictions = reject_unauth_pipelining,
                           permit_sasl_authenticated,
                           check_recipient_access pgsql:/etc/postfix/pgsql-recipient.cf,
                           reject_unauthenticated_sender_login_mismatch,
                           reject_unauth_destination,
                           reject_unlisted_recipient,
                           check_sender_access pgsql:/etc/postfix/pgsql-sender.cf,
                           reject_unlisted_sender,
                           reject_invalid_hostname,
                           reject_non_fqdn_hostname,
                           reject_non_fqdn_sender,
                           reject_non_fqdn_recipient,
                           reject_unknown_sender_domain,
                           reject_unknown_recipient_domain,
                           reject_rbl_client cbl.abuseat.org,
                           reject_rbl_client sbl.spamhaus.org,
                           reject_rbl_client sbl-xbl.spamhaus.org,
                           reject_rbl_client bl.spamcop.net,
                           reject_rbl_client dnsbl.njabl.org,
                           reject_rbl_client blackholes.wirehub.net,
                           reject_rbl_client relays.mail-abuse.org,
                           reject_rbl_client dialups.mail-abuse.org,
                           reject_rbl_client blackholes.mail-abuse.org,
                           reject_rhsbl_sender dsn.rfc-ignorant.org,
                           (reject and permit both tried here)

score 4 · Accepted Answer · answered Aug 06 '09 at 18:53

4

I would try something like this:

/etc/postfix/main.cf:

smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_sender_access hash:/etc/postfix/access_table,
    ...,
    permit

/etc/postfix/access_table:

mydomain.com        REJECT You're not me!

The theory is this:

If they've authenticated already, they trigger the permit_sasl_authenticated rule and are allowed through. If they're not authenticated, it bumps along to the check_sender_access rule. If the sender domain matches "mydomain.com" the sender is rejected. (So unauthed + MAIL FROM "mydomain.com" = reject.) If it's any other domain, it continues on to the rest of your rules.

NOTE: This is untested. I would stick a warn_if_reject in front of that check_sender_access rule before trying it on a production system.

answered Aug 06 '09 at 18:53

Insyte

9,314
2
27
45

makes sense! But you didn't try it? – innaM Aug 06 '09 at 18:55
I've tried this - see the 2nd link I provided in my original question. The side effect of doing this is that mail from domains not claiming to be mydomain gets rejected also which I don't want to happen. – Kilo Aug 06 '09 at 19:03
That depends on what you further tests you list *after* the `check_sender_access` test. If you look at the way I structured it, the default is `permit`. So if they're not SASL auth'd and they're not rejected by `check_sender_access`, the connection is *allowed*. – Insyte Aug 06 '09 at 19:06
I updated my post to include what I tried. This gives 554 5.7.1 : Sender address rejected: Access denied With and without SMTP-AUTH. In my SQL table I have exactly as you have above. – Kilo Aug 06 '09 at 21:30
I found the error in my ways. I was updating smtpd_recipient_restrictions instead of smtpd_sender_restrictions. Additionally, I had the order reversed between: check_sender_access hash:/etc/postfix/access_table, permit_sasl_authenticated when it should be as you've shown: permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access_table Thanks for the help!!!! – Kilo Aug 06 '09 at 21:44

score 2 · Answer 2 · answered Jan 27 '13 at 20:34

2

On one server, where I have postfix with Dovecot with auth data in MySQL I did the following in main.cf:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject

answered Jan 27 '13 at 20:34

Misiek

51
4

score 0 · Answer 3 · answered Dec 02 '18 at 16:06

You can use SPF to avoid this problem. It will check if the IP who is trying to send the email using your domain is authorized to do it. Here is a good guide you can follow

https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

SMTP-AUTH required for local domains?

3 Answers3

Linked

Related