Here is the problem: From any IP address not belonging to your mail server:
telnet me.myemailserver.com 25
helo me.someserver.com
mail from: <[email protected]>
rcpt to: <[email protected]>
data
This is spam. Buy my stuff.
.
I'm using Postfix. I'm having a problem finding a solution to requiring SMTP-AUTH for email claiming to be from mydomain.com.
Googling around, this guy has identified the same problem (where I cut-n-paste with some modifications) the above example from: http://www.smartertools.com/forums/t/13182.aspx
This link http://marc.info/?l=postfix-users&m=122814832915131&w=2 gets close to a solution but it has a side effect of requiring SMTP-AUTH for mail not from mydomain.com. For mail not claiming to be from mydomain.com, I would do the usual RBL and Spam filtering.
In short, I want to reject mail to local domains (mydomain.com) from outside/unauthenticated clients claiming to be from local domains (mydomain.com).
This is what I tried: I've tried both permit and reject as the default. Here is exact excerpt from my main.cf:
smtpd_recipient_restrictions = reject_unauth_pipelining,
permit_sasl_authenticated,
check_recipient_access pgsql:/etc/postfix/pgsql-recipient.cf,
reject_unauthenticated_sender_login_mismatch,
reject_unauth_destination,
reject_unlisted_recipient,
check_sender_access pgsql:/etc/postfix/pgsql-sender.cf,
reject_unlisted_sender,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client blackholes.wirehub.net,
reject_rbl_client relays.mail-abuse.org,
reject_rbl_client dialups.mail-abuse.org,
reject_rbl_client blackholes.mail-abuse.org,
reject_rhsbl_sender dsn.rfc-ignorant.org,
(reject and permit both tried here)
I would try something like this:
/etc/postfix/main.cf:smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access_table, ..., permit/etc/postfix/access_table:The theory is this:
If they've authenticated already, they trigger the
permit_sasl_authenticatedrule and are allowed through. If they're not authenticated, it bumps along to thecheck_sender_accessrule. If the sender domain matches "mydomain.com" the sender is rejected. (So unauthed + MAIL FROM "mydomain.com" = reject.) If it's any other domain, it continues on to the rest of your rules.NOTE: This is untested. I would stick a
warn_if_rejectin front of thatcheck_sender_accessrule before trying it on a production system.On one server, where I have postfix with Dovecot with auth data in MySQL I did the following in main.cf:
You can use SPF to avoid this problem. It will check if the IP who is trying to send the email using your domain is authorized to do it. Here is a good guide you can follow
https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/