Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Steven King (skingkingrst.com)
Date: Sat May 24 2008 - 17:10:20 CDT
I require auth for everyone sending mail through the server that the
destination domain is not handled by my server.
Since you have a mail gateway in some circumstances you will want to
setup the mynetworks = variable so that Postfix will trust "allow relay"
through the hosts that you specify here such as
mynetworks = localhost, x.x.x.x
This will allow you to create a list of hosts that are allowed to relay
through the server not requiring auth. As long as you set up the
mydestination variables correctly if the mail coming from the rest of
the world is not destined for this machine, it will require
authentication before it will be relayed.
Noel Jones wrote:
> Thomas Schachtner wrote:
>> yes and no.
>> It's true. I want to allow relaying for anybody who is successfully
>> logged on to the system.
>> But the clients can connect from anywhere. Most of them use dial-up
>> connections and have a different IP address on each connect.
>> So, the only way to make sure they are allowed to send is to have
>> them authenticated by user name and password.
>> In addition to that, not only relaying shall be restricted to
>> authenticated users. Also local mails (i. e. both sender domain and
>> recipient domain are hosted by my mail server) shall only be allowed
>> for authenticated users.
>> But on the other hand, other SMTP servers shall be allowed to deliver
>> mails to my server. And once I activate authentication for all
>> connections, they cannot connect anymore...
>> The reason is clear: They don't have credentials for my server. (They
>> will never have... Virtually every SMTP server out in the world could
>> want to connect to my server and deliver mails - and it should be
>> allowed. So enabling SMTP auth for these server does not make sense.
>> But for clients connecting to my server it does...)
>> But: How to distinguish between
>> - a mail server delivering a mail whose final destination is on my
>> server and
>> - a person loggin in to my mail server and sending (spam) mails to
>> domains hosted by my server?
> Yes, the age-old question of "how do I require my own user to
> authenticate, but not the whole world?"
> The best (but not perfect) solution is to offer AUTH (maybe only after
> TLS) only on the submission port 587 and not offer AUTH at all on the
> standard port 25.
> smtpd_sasl_auth_enable = no
> submission ... smtpd
> -o smtpd_sasl_auth_enable=yes
> # next line is optional to require TLS before AUTH
> -o smtpd_tls_auth_only=yes
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> ... other stuff that should apply only to auth users ...
> This forces your users to configure their mail client to use 587 and
> AUTH if they want to be able to send mail to the rest of the world.
> You could also reject your own domain as sender on port 25, but that
> breaks some auto-responders, web invites, and such.
> If you're concerned about your own users spamming, you might also look
> at using policyd and/or amavisd-new + SpamAssassin + clamav