Hi again, a couple more questions please!

1) Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)? Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface?

2) I ran a mail relay checker on my server and got the following results.. anything I should be worried about?

requires HELO    NO
allows VRFY username verification    NO
allows EXPN forwarding expansion    NO
allows bogus From: header    YES
allows simple mail relaying    NO
may allow UUCP mail relaying    NO
allows other mail relaying    NO
can mail to postmaster    NO
can mail to webmaster    NO
can mail to abuse (RFC 2142)    NO

Thanks

Dave

Look into the "mynetworks" or "mynetworks_style" settings. In general though if you are running a mailserver on a linode you will only want to allow unauthenticated outgoing mail from localhost. Outgoing mail should otherwise be restricted to only SASL-authenticated clients.


If you are using SASL auth to control outgoing mail, then in your main.cf set "smtpd_sasl_auth_enable = no", and then in master.cf make sure that any service(s) from which you want to allow outgoing mail have "-o smtpd_sasl_auth_enable=yes".

Hmm.. I spent a lot of time fiddling around with settings trying to get it to work, but it seems for some reason I can only send from mynetworks anyway, and so that in combination with

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

seems to do what I want (only able to send from the VPN, and even then only when authenticated). I can't see in my settings why RCPT TO from outside mynetworks is being denied, I guess it's a default setting?

I couldn't get SSL to work at all (client just hangs waiting for a connection) even though I'm pretty sure I had smtps running ok.

When I was trying to set it up to allow SSL on the VPN only, I got a lot of complaints in the log file along the lines of:

fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

What I was trying to do was to specify really restrictive stuff in main.cf:

smtpd_recipient_restrictions = reject_unauth_destination

..then make smtps allow connections only from local clients and relay only from sasl authenticated clients (to enforce both requirements):

-o smtpd_client_restrictions=permit_mynetworks
-o smtpd_recipient_restrictions=permit_sasl_authenticated, reject_unauth_destination

..but it just wouldn't work, I have no idea why not!

Anyway, it seems to be relatively secure, so I'm going to move on to antispam settings