2

I just setup a mail server with postfix 2.6.6 and dovecot.

I have the auth related config in main.cf like below:

smtpd_tls_cert_file=/etc/httpd/ssl/mail.crt
smtpd_tls_key_file=/etc/httpd/ssl/mail.key
smtpd_use_tls=yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Now I can send and receive emails from my domain and outside normally which is good.

However, I found that I can easily send a mail without auth from remote using telnet like below, which means someone else could easily send spam mails to my domain.

Myhost:~/ z$ telnet mail.example.com 25
Trying 232.96.23.130...
Connected to mail.example.com.
Escape character is '^]'.    
220 mail.example.com ESMTP Postfix
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:frodo@gmail.com
250 2.1.0 Ok
rcpt to: sam@example.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject:how much dust?
fdhjaklf
fdsahjk;
fdajshk
.

250 2.0.0 Ok: queued as 08B2C5883481

How can I secure postfix and disable that someone else can send mails without authentication?

rubo77
  • 2,469
  • 4
  • 34
  • 66
Young Zhou
  • 23
  • 1
  • 3
  • I have the same problem and maybe found a solution: https://serverfault.com/questions/1019373/block-your-own-domain-in-postfix-sending-mails-via-telnet-helo – rubo77 May 30 '20 at 23:31

1 Answers1

1

Usually a mail server has two purposes:

  1. Allowing its users to send mail out to other mail servers on the internet. This part you have done just as you should.
  2. Receiving mails for the users whose domains it is supposed to serve.

If you only want your server to be used to send outgoing mails, but not to receive incoming mails, you need to change the mydestination parameter in your main.cf and remove $mydomain from it. That way it will not accept any emails addressed to your domains. There is more information at the postfix documentation site.

Note, however, that this means that you must have some other email server set up to accept incoming mails to your domains. Otherwise all your incoming mail will be bounced.

Community
  • 1
Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • I'm glad I was able to help! – Jenny D Apr 07 '14 at 07:59
  • And how do you solve the issue, if you have incoming and outgoing mail on the same server? – rubo77 May 30 '20 at 09:30
  • @rubo77 If you do want incoming and outgoing mail on the same server, then having the server accept emails to the domain is generally not considered a problem. – Jenny D Jun 01 '20 at 07:56
  • Sure this is a problem, if it is accepted without password **from any IP**. Anyone can send spam from that email to those emails if it stays configured like this. – rubo77 Jun 01 '20 at 08:08
  • Maybe we find a solution here: [block-your-own-domain-in-postfix-sending-mails-via-telnet-helo](https://serverfault.com/questions/1019373) – rubo77 Jun 01 '20 at 08:10
  • The term "incoming mail" generally refers to mail sent from hosts outside of your organisation to recipients within your domain. If that's what you mean, then allowing people to send mails *to* your domain without a password is a requirement for it to work. However, there are many ways to reduce the amount of spam coming into your system, such as blocklists, filters etc. You could start by searching for the keyword "spam" on this site. – Jenny D Jun 02 '20 at 09:18
  • There still is A real Security Problem: anyone can send a mail via telnet with a "from" email that is your domain within your server to any mail address with a domain that is on your server. This is more severe than just "spam" – rubo77 Jun 02 '20 at 10:01
  • @rubo77 Yes, and there are ways to handle that too. Again, search on the site, or read the documentation for the software you're using - it's going to be more useful than commenting on an answer to an entirely different question. – Jenny D Jun 03 '20 at 12:11