Postfix acting like an open relay for domain mailboxes

Question

I have a mail server running on Debian 7.8 configured with postfix 2.9.6.

My restrictions are these:

smtpd_sender_restrictions = reject_sender_login_mismatch, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks
#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_client_restrictions =  permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

The problem is that alias an email can send mails to internal user without auth

Examples (all request are made with auth off in client and NOT from localhost):

alias@example.com -> alias@example.com --> Mail sent
alias@example.com -> mailbox@example.com --> Mail sent
someuser@anotherexample.com -> alias@example.com --> Mail sent
someuser@anotherexample.com -> mailbox@example.com --> Mail sent
mailbox@example.com -> alias@example.com --> Sender address rejected: not logged in
mailbox@example.com -> someuser@anotherexample.com --> Sender address rejected: not logged in
someuser@anotherexample.com -> someuser2@anotherexample.com --> Relay access denied
alias@example.com -> someuser@anotherexample.com --> Relay access denied

Where mailbox is any of the virtual user in the database

Any idea? Thank you!

Just to get a clarification - your setup is meant to disallow people to use a MAIL FROM within your domains to send to your domains, unless they are authenticated. Is this correct? — Jenny D, Aug 28 '15 at 16:17
@JennyD exactly, if i telnet into my server i can send mail to all my virtual users faking the MAIL FROM to anything but mailbox users. I will like to avoid that, we are receiving a lot of spam/scam — enne, Aug 28 '15 at 16:53

enne · Answer 1 · 2015-08-28T16:50:23.830

EDIT: reading that reject_unverified_sender could cause blacklisting i've removed id, and now the problem is back

I think i've resolved this using this restrictions:

smtpd_client_restrictions =  permit_sasl_authenticated, permit_mynetworks
#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unverified_sender, reject_sender_login_mismatch, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, reject_unauth_destination, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

the option i was missing was reject_unverified_sender, i've added after permit_sasl_authenticated so i can still send mail with the aliases.

Hi, have you resolved this problem? Can you share the solution? — masegaloeh, Sep 01 '15 at 12:55

Postfix acting like an open relay for domain mailboxes

1 Answers1

Linked

Related