As suggested in How do you detect a spambot on your network? how can I setup firewall rule to allow only Postifx to send emails using SMTP on port 25 and disallow all other applications to send on port 25?
I want to control email server of single machine.
Something related is being talked here but not sure of the Iptables rules.
Do two things:
Run Postfix under its own user account. It should already be doing so, on any sane system.
Set an iptables rule with a uid match for that account, which blocks outgoing traffic to destination port 25 not from that user.
For example: Here we assume the username is postfix, though it may be something different on your system.
iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited
ip6tables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited
Note that when you save the rule, the user name will be converted to a numeric uid.
@MichaelHampton's answer is excellent if you are only trying to regulate the behaviour of a single linux system. The title of your linked serverfault page refers to a network. It's not clear from your post if that is part of what you need to do.
You could approach this by limiting sending to port 25 outside of your network so that it's only accessible by a single IP in that network. That IP could be associated with a locked down system (possibly virtual or containerised), that only runs the mail relay. If on the other hand you have untrusted processes which can send from that IP, then go back to @MichaelHampton's answer for how to lock that down.
