From: Magnus Bäck (magnusdsek.lth.se)
Date: Mon Mar 16 2009 - 00:48:21 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday, March 16, 2009 at 06:18 CET,
     Alberto Lepe <devalepe.com> wrote:

[...]

> I wanted to force the users to authenticate, in order to send mails, with:
>
> #smtpd_client_restrictions = permit_sasl_authenticated,reject
>
> But for some reason, when I use that line, and I send a mail from
> gmail to one of the test accounts, it is bounced with an "Client host
> rejected: Access denied" error.
> I thought it was only for those wishing to use the SMTP server for
> sending emails... but it is not... right?

Postfix doesn't know why the client is connecting. As far as it's
concerned, Gmail is also "sending" email. Postfix is doing exactly
what you're telling it to do -- permit authenticated clients and
rejecting the rest.

> So, what I don't understand about the restrictions is:
>
> If I don't include the "smtpd_client_restrictions =
> permit_sasl_authenticated,reject" line,
> anyone can use my SMTP to send emails without authentication if it is
> not rejected by other rules (e.g., reject_unlisted_sender, etc.)

Yes, but only to domains hosted by your Postfix. How would you otherwise
receive email from e.g. Gmail?

> Even with " smtpd_client_restrictions" rule, If I use that server as
> SMTP server, I can send an email to a local account:
> (testmyhostname.com) without authentication! (and outside
> mynetworks). Why is that possible?

No, that's incorrect. With

   smtpd_client_restrictions = permit_sasl_authenticated,reject

in main.cf only authenticated clients will be allowed to do anything.

Put the permit_sasl_authenticated stuff in smtpd_recipient_restrictions
instead, along with permit_mynetworks. Relay access control takes place
in smtpd_recipient_restrictions.

--
Magnus Bäck
magnusdsek.lth.se

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]