Linode Forum :: Mail security

Linode Forum https://forum.linode.com/

Mail security https://forum.linode.com/viewtopic.php?f=11&t=4851	Page 1 of 1

Author:	Daveo [ Tue Nov 17, 2009 7:25 am ]
Post subject:	Mail security
Hi again, a couple more questions please! 1) Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)? Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface? 2) I ran a mail relay checker on my server and got the following results.. anything I should be worried about? Code: requires HELO NO allows VRFY username verification NO allows EXPN forwarding expansion NO allows bogus From: header YES allows simple mail relaying NO may allow UUCP mail relaying NO allows other mail relaying NO can mail to postmaster NO can mail to webmaster NO can mail to abuse (RFC 2142) NO Thanks Dave

Author:	Stever [ Tue Nov 17, 2009 1:08 pm ]
Post subject:	Re: Mail security
Daveo wrote: Is there a way to configure postfix so that it'll only accept outgoing mail from a certain IP address/range (still allowing incoming email from anywhere)? Look into the "mynetworks" or "mynetworks_style" settings. In general though if you are running a mailserver on a linode you will only want to allow unauthenticated outgoing mail from localhost. Outgoing mail should otherwise be restricted to only SASL-authenticated clients. Quote: Or (even better) configure it so that it will never send outgoing email from SMTP requests on port 25, only over SSL, and have the postfix SSL listener only on a lan interface? If you are using SASL auth to control outgoing mail, then in your main.cf set "smtpd_sasl_auth_enable = no", and then in master.cf make sure that any service(s) from which you want to allow outgoing mail have "-o smtpd_sasl_auth_enable=yes".

Author:

Daveo [ Wed Nov 18, 2009 8:28 am ]

Post subject:

Hmm.. I spent a lot of time fiddling around with settings trying to get it to work, but it seems for some reason I can only send from mynetworks anyway, and so that in combination with

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

seems to do what I want (only able to send from the VPN, and even then only when authenticated). I can't see in my settings why RCPT TO from outside mynetworks is being denied, I guess it's a default setting?

I couldn't get SSL to work at all (client just hangs waiting for a connection) even though I'm pretty sure I had smtps running ok.

When I was trying to set it up to allow SSL on the VPN only, I got a lot of complaints in the log file along the lines of:

Code:

fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

What I was trying to do was to specify really restrictive stuff in main.cf:

Code:

smtpd_recipient_restrictions = reject_unauth_destination

..then make smtps allow connections only from local clients and relay only from sasl authenticated clients (to enforce both requirements):

Code:

-o smtpd_client_restrictions=permit_mynetworks
-o smtpd_recipient_restrictions=permit_sasl_authenticated, reject_unauth_destination

..but it just wouldn't work, I have no idea why not!

Anyway, it seems to be relatively secure, so I'm going to move on to antispam settings

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/