Good day to you all. Today, I was setting up postfix on my CentOS 7 vps.
What I want
I would like my server/postfix act according to the following rules:
Everyone on the planet should be able to mail
foo@server.comPostfix must forward this mail to
bar@externalmail.comNothing else may get sent to any domain
For simplicity, I call my domain server.com.
What I have
Right now,
I can send mails to foo@server.com, which do get forwarded to bar@externalmail.com (tested via telnet like this). All DNS records are set correctly, SSL certificates are working well.
My problem
I noticed I can send mails to any domains I want by connecting through telnet.
Sadly, spambots noticed this too, as I got a number of unknown connections, according to my /var/log/maillog. I checked some ip adresses via an online blacklist checker and all were blacklisted.
I am experienced (enough) in Linux systems, but very new to setting up postfix servers according to my wishes. Right now, I just blocked port 25 in ufw to stop the bots, until the problem is solved.
Question
How can one setup postfix to forward only mails with specific receivers (foo@server.com) to specific forward adresses (bar@externalmail.com)?
Secondly, how can one block ip adresses which are blocked on lists as spamhaus and CBL?
Configs
Here is my /etc/postfix/main.cf (adapted to question, excluding comments):
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
###################################
# My stuff
###################################
# Host and site name.
myhostname = server.com
mydomain = server.com
myorigin = server.com
# Virtual aliases.
virtual_alias_domains = server.com
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
And here is my /etc/postfix/master.cf:
smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
The last file which I think could be important is /etc/postfix/virtual:
foo@server.com bar@externalmail.com
A last word
The configs I have are all assembled from whatever I could find on the internet I thought was useful to achieve what I want postfix to do. I am very new in this postfix-setup-world, and must say it is one tough nut to crack. If you find anything wrong in my configs, please post a comment!
Edit
Today, I configured Postfix with some restrictions. These restrictions seem to fix my problem and enforce the behaviour I want. Here are the new relevant parts in /etc/postfix/main.cf:
###################################
smtpd_client_restrictions =
reject_invalid_hostname,
reject_rbl_client zen.spamhaus.org,
reject_unknown_client
###################################
smtpd_helo_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_hostname
###################################
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname
###################################
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
After finding more information about blocking, I created a new configuration.
This one is made to block all unknown[ipv4] connections from sending mail.
Also, it blocks attempts to send mail outside my domain, server.com.
I tested with mxtoolbox open relay tool to see if it works, and it did.
