2

I've got a Postfix/Courier mail server (Authenticated with SASL/MySQL) all according to this tutorial. I'm currently running my server on Debian 6, it is a VPS. It works well as far as I can see but I can't seem to require authentication for inbound email sending. If I send an email from Outlook with SMTP authentication disabled to myself, everything happens and I'm not rejected, the log on the server tells me this:

Dec 19 09:39:33 new postfix/smtpd[20439]: connect from unknown[****]
Dec 19 09:39:33 new postfix/smtpd[20439]: 7FF1E469840: client=unknown[****]
Dec 19 09:39:33 new postfix/cleanup[20444]: 7FF1E469840: message-id=<000c01cefc31$41319a90$c394cfb0$@email@mydomain>
Dec 19 09:39:33 new postfix/qmgr[20429]: 7FF1E469840: from=<email@mydomain>, size=2730, nrcpt=1 (queue active)
Dec 19 09:39:33 new postfix/virtual[20445]: 7FF1E469840: to=<email@mydomain>, relay=virtual, delay=0.49, delays=0.4/0.08/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Dec 19 09:39:33 new postfix/qmgr[20429]: 7FF1E469840: removed
Dec 19 09:39:36 new postfix/smtpd[20439]: disconnect from unknown[****]

**** indicates the IP address of the email client

But if I try to send an email to an external domain, for example a gmail address, the email, as expected, is rejected and bounces back:

Your message did not reach some or all of the intended recipients.

  Subject:  
  Sent: 19/12/2013 9:49 a.m.

The following recipient(s) cannot be reached:

  'email@external.domain' on 19/12/2013 9:49 a.m.
        Server error: '554 5.7.1 <email@external.domain>: Relay access denied'

The log spews out some stuff about rejected authentication as well (which is to be expected)

Dec 19 09:48:34 new postfix/smtpd[20449]: connect from unknown[****]
Dec 19 09:48:34 new postfix/smtpd[20449]: NOQUEUE: reject: RCPT from unknown[****]: 554 5.7.1 <email@external.domain>: Relay access denied; from=<email@mydomain> to=<email@external.domain> proto=ESMTP helo=<MyPC>
Dec 19 09:48:36 new postfix/smtpd[20449]: disconnect from unknown[****]

If I enable SMTP authentication on my email client (Outlook), everything works as expected. Is there actually some authentication going on that I'm not seeing or is this acting as an open relay for internal emails? How do I force authentication for all email if this is the case?

My main.cf is:

relayhost = 
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
broken_sasl_auth_clients = yes
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
Pinpickle
  • 123
  • 1
  • 4
  • Unless I completely misunderstand your question/problem boils down to: When I use my own server as outgoing smtp server it doesn't require authentication when I send messages to `@my.domain`? That's expected and desired, a SMTP server will always accept mail when that server is configured as the valid destination for that domain, regardless of smtp auth. – HBruijn Dec 18 '13 at 23:10
  • 1
    Doesn't that mean that in my own network, someone not in my network could pretend to be someone that is in the scope of email addresses `@mydomain`. I'm not exactly setting it up as a massive network but it does seem like a potentially huge security flaw for larger ones (where emailing between users of the domain is important). – Pinpickle Dec 19 '13 at 01:13
  • I had the same issue, and for those who're still looking to fix it, the answer is on this subject: http://serverfault.com/questions/51106/smtp-auth-required-for-local-domains#answer-51122 – Mwyann Feb 25 '16 at 17:58

2 Answers2

7

Your server is not an open relay. It is set up to allow three different types of mail:

  1. Mail from anybody on the internet to addresses within your own domain
  2. Mail that originates on your own mailserver (e.g. notices from cron jobs and the like), to anybody on the internet
  3. Mail that comes from an authenticated connection to anybody on the internet

If the mail doesn't match one of the above, then the mailserver will reject it, even if the spammer puts some fake address in your domain as the sender address.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • I understand now that it's intentional that type 1 gets allowed through, but why? What use does it have? It strikes me as strange that someone could pretend to be me when emailing people on my own domain without any need for authentication. – Pinpickle Dec 19 '13 at 09:57
  • 1
    If you want to restrict the rest of the world from faking your domain name, you would look at e.g. DKIM or SIP - search for those terms here or on google. – Jenny D Dec 19 '13 at 11:03
  • I should add that there are times when there are perfectly legitimate reasons to use an address within your domain in the `From:`-line of an email. One example is when you're participating in a mailinglist, or when you're e.g. using a third-party website to send an email with a copy to yourself, etc. But accepting incoming emails *to* your domain is not being a relay, it's just being a mail server. – Jenny D Dec 19 '13 at 11:15
  • Afaiu spammers would still be able to spam yourself giving one of your own adresses as FROM-adress (anybody can send a mails as `you@mydomain` to `me@mydomain`). I face this problem and didnt find a way to overcome this yet. – Felix Mar 27 '16 at 15:23
  • @Felix See http://serverfault.com/questions/444151/how-can-i-prevent-postfix-from-accepting-mail-from-domains-it-owns-that-it-didn – Jenny D Mar 27 '16 at 18:39
1

Is there actually some authentication going on that I'm not seeing

Yes

or is this acting as an open relay for internal emails?

no since your are seeing access denied

How do I force authentication for all email if this is the case?

You are forcing it now

telnet your email server

telnet ipaddress 25
CharlyDelta
  • 115
  • 7
jmazaredo
  • 202
  • 5
  • 13