0

The following snippet has been added to the main.cf file of postfix:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_security_options = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

I am bit confused, why there is sometimes "smtp" and sometimes "smptd" in the parameters above, but I guess the current one names are correct.

Why is it possible to connect to SMTP without AUTH although I specified the parameters above, and they should force the SMTP client to AUTH?

I would like to reject anonymous connections.

030
  • 5,901
  • 13
  • 68
  • 110
luky
  • 219
  • 1
  • 4
  • 12

3 Answers3

3

Ok, it seems, i have to also add this:

smtpd_delay_reject = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject

as stated here: http://www.postfix.org/postconf.5.html under smtpd_sasl_auth_enable

luky
  • 219
  • 1
  • 4
  • 12
  • That's the key, reject all unauthenticated attempts to deliver mail to Postfix :) – alphamikevictor May 13 '15 at 16:57
  • uff.. you are right, delivering from outside now doesnt work. i thought this settings is for SMTP (send mail server) so why it affects incoming of mails.. how should i manage it? – luky May 13 '15 at 17:10
0

Standalone postfix does not have SASL capabilities, you must install Cyrus or Dovecot.

Take a look at postfix official doc.

http://www.postfix.org/SASL_README.html#server_sasl

mvillar
  • 438
  • 1
  • 7
  • 19
  • hmmm ok... but anyway, i blocked the anonymous using of SMTP, now it rejects after calling smtp command "rcpt to:" (althought i would expect it will need auth after "ehlo" command), before it worked... and webmail works, so i achived my goal it seems. and don't even need to specify somewhere the sasl password from map file, webmail is able to connect as before.. probably because it uses local connection. – luky May 13 '15 at 16:53
0

Ok so i see it is nonsence to completely block SMTP for auth only, because then the mail server cannot even receive mails.

SMTP must remain open for anonyms and allow to send mails to local mailboxes, if i am right.

Of course is good if it will block to send emails to another domains (for anonymous connections), but that should be default configuration.

luky
  • 219
  • 1
  • 4
  • 12
  • You should edit this into your earlier answer, and delete this one: answering your own question **twice** isn't good practice. – MadHatter May 14 '15 at 08:37
  • You can [always edit](http://serverfault.com/posts/691800/edit) your earlier [answer](http://serverfault.com/a/691800/218590). No need two create new answer. – masegaloeh May 14 '15 at 08:37