0

I have configured my postfix so as users under my server shall send mails through port 587 and port 25 will only be used to receive mails from mail servers.

I am successful to the extent that on connecting to port 25 mails are not allowed outside the mail server and it is being rejected as relay-access denied. whereas on port 587 the clients are able to sent mail to outside mail servers.

To achieve this I have set in my main.cf

smtpd_recipient_restriction=permit_mynetworks, reject_unauth_destination

that is I removed permit_sasl_authenticated.

if I add this condition, the mails are allowed to be sent outside the network and if I am removing the condition, any one can connect to port 25 and since there is no authentication can sent any number of mails to local recipients.

what is way that I can use sasl authentication on port 25, yet prevent it from relaying mails outside my network.

setting in main.cf:

smtpd_recipient_restrictions=
    reject_unauth_pipelining,permit_mynetworks,reject_unauth_destination,
    reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_recipient_domain,
    reject_non_fqdn_recipient,reject_unauth_destination,check_sender_access mysql:/etc
    /postfix/mysql-virtual_sender.cf,reject_non_fqdn_sender,
    reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_rbl_client 
    cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client
    ix.dnsbl.manitu.net,check_recipient_access mysql:/etc/postfix/mysql-
    virtual_recipient.cf,permit

setting in master.cf

submission inet  n       -       -       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
mgorven
  • 30,615
  • 7
  • 79
  • 122
Joshi
  • 97
  • 4
  • 1
    So you're saying that incoming mail on port 25 works properly. Why do you believe this is a problem? That's what is supposed to happen. – Michael Hampton Mar 06 '13 at 10:07
  • [The answer to a question about opening Port 25, but disabling relay](https://serverfault.com/a/938262/50236) may help guide you. – palswim Nov 08 '18 at 05:10

1 Answers1

1

In the master.cf you can add restrictions per port. Have a look at the bottom of the master.cf file, you will see something like this:

#submission inet n – n – – smtpd
or
#587 inet n - n - - smtpd

you will want to uncomment it, then add (something like this, read up on what each value does)

submission inet n – n – – smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
(here there are a lot of options you can add)

Basically, the -o means override what is found in main.cf for that port. So you can set up main.cf to accept mail how you want on port 25, then set up port 587 (submission) to only allow sasl auth or whatever.

You want to allow anyone (within reason) to send mail to you on port 25, but allow no relaying through that port. That's what reject_unauth_destination does..

NickW
  • 10,263
  • 1
  • 20
  • 27
  • That what I exactly did. submission inet n - - - - smtpd. I at the same time don't want anyone to connect to server without authentication except the mail server, if I am removing the clause "permit_sasl_authenticated" in main.cf, relay is closed, but any one can send spam becoming the sender on my own server to the local recipients. My question is while keeping the "sasl authentication on in main.cf can I still prevent relay for mails on port 25. I am modifying my question to post the actual settings of my main.cf and master.cf – Joshi Mar 06 '13 at 19:00
  • quote- you want to allow anyone(within reason). No within reason also I want the users to authenticate. But once I am turning on the authentication,the relay becomes open, which I don't want. – Joshi Mar 06 '13 at 22:15
  • You're confused about what relaying is. Relaying is accepting an email to send to another domain NOT hosted on your server. People being able to send email to your users is the entire idea of hosting a mail server, you put things like DKIM, Greylisting, Blacklists and spamassassin, to reduce the amount of "spam" you receive. – NickW Mar 07 '13 at 09:28