1

I have a problem with my postfix setup that it allows unauthenticated and non-existing users to send mail. Postfix is configured to use virtual mailboxes. This is what happens:

telnet hostname.com 25
Connected to hostname.com.
Escape character is '^]'.
220 hostname.com ESMTP Postfix (Debian/GNU)
ehlo server
250-hostname.com
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN CRAM-MD5 LOGIN
250-AUTH=PLAIN CRAM-MD5 LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Sending mail

telnet hostname.com 25
Connected to hostname.com.
Escape character is '^]'.
220 hostname.com ESMTP Postfix (Debian/GNU)
mail from: nonexistinguser@virtual-domain.com
250 2.1.0 Ok
rcpt to: legit-user@virtual-domain.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hi this is a mail from fake account
.
250 2.0.0 Ok: queued as BE73115761D
quit
221 2.0.0 Bye
Connection closed by foreign host.

Postfix config:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no

readme_directory = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_auth_only=no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

myhostname = hostname.com
mydomain = hostname.com
myorigin=$mydomain

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

smtpd_sender_restrictions = permit_sasl_authenticated,
    reject_unauthenticated_sender_login_mismatch

smtpd_recipient_restrictions = permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unknown_sender_domain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client

virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
message_size_limit = 52428800
virtual_mailbox_limit = 0

The question is: how is it that i can send mail without authentication?

Stuka
  • 37
  • 1
  • 5

1 Answers1

1

Postfix will accept message sent to local domains. They can be specified in number of ways one is mydestination parameter in main.cf.

The mydestination parameter specifies what domains this machine will deliver locally, instead of forwarding to another machine.

If you try to send to non local domain using telnet you will receive Relay access denied after issueing rcpt to command.

Farhad Farahi
  • 35,528
  • 7
  • 73
  • 70
  • i am getting /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_sasl_authenticated defer_unauth_destination postfix version: 2.9.6 – Stuka Sep 11 '16 at 09:31
  • Thats because smtpd_recipient_restrictions, anyway are you trying to send from localhost ? – Farhad Farahi Sep 11 '16 at 09:41
  • i have tried sending both from localhost and remote host. neither require sender authentication – Stuka Sep 11 '16 at 21:22
  • I tested your exact main.cf config except for `smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client` and I got relay access denied. I suscpect you have a problem in your dovecot config. You can update your `master.cf` to `smtp inet n - - - - smtpd -v` and check `mail.log` for errors. – Farhad Farahi Sep 12 '16 at 06:05
  • After much reading i found this interesting note here: [link](http://www.linuxmail.info/postfix-smtp-auth-dovecot-sasl/) `You can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.` That is the problem. If i try to send a mail to some outside domain i cannot do that without authentication. But the problem is that from time to time i get some spammer who uses my server to spam my own clients with gibberish usernames using my own domain – Stuka Sep 12 '16 at 07:56
  • Yea thats the default behaviour, and you can modify domains in `mydestination` parameter in `main.cf` – Farhad Farahi Sep 12 '16 at 08:05
  • Editing the answer in case we can help others. – Farhad Farahi Sep 12 '16 at 08:06