0

I am trying to wrap my head around the following. Is it possible to have a postfix-"recieve-only"-server. eg mx.example.com should only receive mail too a specific list of domains. It should not be possible to send mail through it. I can't seem to find any articles addressing this. I know i can disable sasl, but that does not prevent authless sending. Is this even possible to completely disable?

dhojgaard
  • 109
  • 1
  • 6
  • 2
    Simply blocking outgoing traffic on TCP port 25 in your firewall may be suitable a work-around. - But a common scenario on non-production systems is to catch all outgoing mail traffic in a local mailbox as described for instance in [this Q&A](https://serverfault.com/q/94640/37681) – HBruijn Oct 09 '17 at 07:58
  • Yeah blocking port 25 could be a possibility. Perhaps that is an acceptable workarround. – dhojgaard Oct 09 '17 at 08:30
  • However doing this in postfix would be the preferred way :) – dhojgaard Oct 09 '17 at 08:50

2 Answers2

1

By default, Postfix allows unlimited relay from trusted networks:

mynetworks (default: see "postconf -d" output)

The list of "trusted" remote SMTP clients that have more privileges than "strangers".

In particular, "trusted" SMTP clients are allowed to relay mail through Postfix. See the smtpd_relay_restrictions parameter description.

The default value could be something like the following, with at least local loop-back networks:

mynetworks = 127.0.0.0/8 198.51.100.100/24 [::1]/128 [fe80::]/64

The smtpd_relay_restrictions defaults to:

permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

permit_mynetworks Permit the request when the client IP address matches any network or network address listed in $mynetworks.

Therefore, the easiest way would be to remove permit_mynetworks from this list. (Alternatively one could set mynetworks not to include 127.0.0.0/8, but that may cause other problems.)

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
0

The first and the easiest method:

Create iptables rule that will block all outgoing emails. Example:

iptables -A OUTPUT -p tcp --dport 25 -j DROP

But you need to drop all outbound traffic too. You can do this with default polycy:

iptables -P OUTPUT DROP

Or (is better) default policy to accept all and drop rule at the end of chain. And you need to accept all established and related traffic. A bounch of rule will something like this:

iptables -P OUTPUT ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -s <type_host_ip> -j DROP

This is only a part of rules set!!! You need to allow all outbound IMAP and POP3 traffic and other such as SSH!!!

The second method:

Create transport map:

> /etc/postfix/transport

Add the following into this file:

your_domain:
* local:some_local_user

One line per domain.

In /etc/aliases add this string:

some_local_user:  /dev/null

In main.cf:

luser_relay = some_local_user@your_domain.tld
transport_maps = hash:/etc/postfix/transport
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

Run one by one:

postmap /etc/postfix/transport
postmap /etc/aliases
service postfix reload

You can use REJECT action map to send back to users reject message.

Replace transport map with:

your_domain:
* error: not allowed!
Egor Vasilyev
  • 260
  • 1
  • 5
  • Not sure if i understand what place in this some_local_user@your_domain.tld has. – dhojgaard Oct 09 '17 at 12:26
  • Not sure i understand anything of this. This means that all mail going to this server will end up in /dev/null.. I need to be able to accept mail.. Just not send mail outbound – dhojgaard Oct 09 '17 at 12:32
  • some_local_user@your_domain.tld - it is any local user at your server. All emails that was sended to this user will send to /dev/null. Only outboud emails will send to /dev/null, not incoming. You can test this configuration and revert to previous state if something went wrong – Egor Vasilyev Oct 09 '17 at 12:34
  • Can i not let the sender have a REJCET message? – dhojgaard Oct 09 '17 at 12:39
  • @dhojgaard, see above. I was edit answer – Egor Vasilyev Oct 09 '17 at 13:08
  • This server should only be mx.. i will have dovecot separated so i need to be able to deliver to the dovecot server on port25.. so blocking port 25 outbound is not a possibility – dhojgaard Oct 09 '17 at 13:11
  • using reject in transport_map i will not be able to relay the mail to my dovecot-server. – dhojgaard Oct 09 '17 at 13:16
  • You can create single rule to allow send traffic on 25 port to dovecot server and place this rule before. For example: `iptables -A OUTPUT -d -s -p tcp -j ACCEPT` I offer only a general solution because i don't know your infrastructure. You can test this solution but i not garantee that it will work properly. You need to adapt these solutions to your situation – Egor Vasilyev Oct 09 '17 at 13:23