Ping a Specific Port

Question

shanet

Asked: 2012-03-05 00:46:23 +0800 CST2012-03-05 00:46:23 +0800 CST 2012-03-05 00:46:23 +0800 CST

Postfix: Allow unauthenticated incoming mail, but only authenticated outgoing mail?

772

I'm new to the world of mail server's and have been working on setting up my own via Postfix on Ubuntu 11.10. So far, I have SASL authentication working over TLS so that's good; I'm worrying about security now.

In short: I want Postfix to accept all unauthenticated incoming mail, but only allow authenticated outgoing mail. This also makes me wonder if I have STARTTLS and TLS support on ports 465 and 587, do I still need to listen on port 25? Will mail servers try to deliver mail on port 587 if 25 is closed?

But back to the allow unauthenticated incoming, but only authenticated outgoing, I tried adding

-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

to the smtp line in my master.cf file, but then that blocks unauthenticated incoming mail. Is there a way to only allow incoming on port 25, and leave ports 465/587 for outgoing only?

I'm not sure what good it would do, but I can post the rest of my config if necessary. Any help is greatly appreciated since I'm new to all this and it's still confusing. Thank you!

2 Answers

Voted

Philip Couling · Answer 1 · 2012-03-05T04:51:47+08:00

Best Answer

Philip Couling

2012-03-05T04:51:47+08:002012-03-05T04:51:47+08:00

As you have understood that to apply options in master.cf to override options in main.cf on a per-port basis.

To achieve your goal you want to place the restriction as smtpd_recipient_restrictions rather than smtpd_client_restrictions. The key is to reject_unauth_destination instead of just reject:

mydestination = aardvark.com, acme.com 
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

This prevents an unauthenticated client from sending to any domain you're not responsible for. In this context domains you're responsible for are more than just mydestination. See reject_unauth_destination in the manual.

4

user204566 · Answer 2 · 2014-01-07T22:35:47+08:00

user204566

2014-01-07T22:35:47+08:002014-01-07T22:35:47+08:00

I have been looking for hours to solve this and your answer is spot-on Couling.

For more information, this also works when using Plesk/CentOS (my situation). Especially when using Plesk the value permit_mynetworks is also added to the smtpd_recipient_restrictions variable by default, allowing all Plesk domains to send SMTP mail out without authentication.

See: http://forum.parallels.com/showthread.php?296391-Plesk-domains-can-submit-emails-through-unauthenticated-SMTP

Also added to main.cf for security reasons (for anyone interested;

smtpd_client_connection_count_limit = 20
smtpd_sasl_authenticated_header = yes
maximal_queue_lifetime = 1d

0

Postfix: Allow unauthenticated incoming mail, but only authenticated outgoing mail?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?