I'm testing a postfix installation. I noticed that if I try to send mail from a fictitious account on another domain that isn't mine ([email protected]), to one of my local users ([email protected]), the email still gets delivered to my user.
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
I'm not sure if this is normal behaviour or if it can cause problems. For example, I'm worried that users could use the server to send spoofed emails that aren't really originating from the email accounts they claim to be originating from.
P.S. I'm still in the early stages of learning postfix, so not sure if my question makes sense.
As per @DerfK's comment, I tested for an open relay (where both MAIL FROM and RCPT TO aren't hosted on this server), and this is what I get. For some reason it accepts the RCPT TO, then says goodbye AFTER I type the subject. So is this good or bad?
HELO test.mydomain.com
250 mail
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
Subject: testing for open relay
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.
You forgot Data! I had exactly this problem. You have to have command data, then subject. So it resolves your problems. Look like this:
That is normal behaviour. Other SMTP servers connect to yours as SMTP clients to deliver mail to your domain.
To work around this spoofing problem, there are SPF and DKIM. You should check them out.
Concerning your first situation: it's normal for SMTP server to accept mail for accounts it is responsible for and basically that is how it's going to work, just setup spam checking software like SpamAssassin (most widely used free solution, supports SPF/DKIM check).
As far as your question likely appeared on early stage of mail server setup, here are some tips related to dealing with fictitious mail.
Normal users won't try to spoof their emails in most cases. More often this is behavior of spammer that is why you can filter such mail based on its content. More complex setup can include:
MAIL FROM: <>).If we talk about postfix it gives rather flexible abilities to restrict which mail is acceptable.
Concerning your update: the error message postfix gives you just states that you break SMTP specs (there is no
Subject:SMTP command, see SMTP RFC butSubjectheader you've likely meant is part of message body which must be supplied afterDATASMTP command). From the transcript you've provided I can't reliably tell whether your postfix functions as open relay because there is no information about client who had that SMTP session.With basic setup postfix, as far as I recall, allows relay of mail (meaning you can specify any email address, not only in domain which postfix is responsible for) from:
So if you've telneted postfix from the server it runs on that might be ok. If from anywhere in Internet then things are bad.
Also you might want to read carefully SMTPD Relay and access control to deepen the knowledge exactly on topic of postfix relay access.
Hope this helps.
Postfix must accept mail from domains it is not responsible for. Otherwise you would have only local email.
An open relay accepts mail from domains it is not responsible for to addresses it is not responsible for. In the following table: Local represents domains the sever is responsible for; Remote represents domains the server is not responsible for; and None represents an empty sender:
There are many ways to verify the Remote domain including: Callouts, SPF, DMARC, Whitelists and Blacklists. These all depend on DNS. Greylisting is a technique to ensure a real mail server is sending the mail rather than a spambot. Spamfilters such a Spamassassin use a combination of techniques to validate the mail which usually includes scoring the above tests as well as content and headers.