postfix: disallowing the sending of mail

[MasquedAvenger]

Hey everyone. I'd like postfix to only recieve mail and not allow anyone, from my LAN or the internet, to send mail through it. How would I accomplish this? I'm using postfix 2.0.19. Thanks in advance.

James

[kpack]

Uncomment the following in main.cf:

#mynetworks_style=host

This will still allow processes on the linux computer to send mail, but will prevent any other host forwarding mail through the server.

[MasquedAvenger]

Since this only allows the server itself to send mail through localhost and disallows any other machine on the network or outside of it to access the mail server, could I then safely make postfix a relay to my ISP's smtp server? The reason I ask is, I need to be able to implement the ability to have bounce messages and other forms of automated email notifications, and to do this, I would have to let procmail send mail to postfix itself rather than another smtp server (or can I tell procmail to send through another smtp server instead?) My thinking is, if only the server itself can relay mail through postfix, then to open it up as a relay to my ISP's smtp server shouldn't be such a destructive thing. Any comments? Is this safe? If so, how would I make postfix a relay to my ISP's mail server? Thanks in advance

James

[kpack]

Using mynetworks_style=host will allow any process (including procmail) on the machine running postfix to relay mail.

When you make changes like this, test them with telnet sessions from the server, from the LAN and from the WAN. Heres an example:

telnet localhost smtp

Trying 127.0.0.1
Connected to localhost.
Escape character is '^]'.
220 foo.bar.com ESMTP Postfix
helo comcast.net
250 foo.bar.com
mail from:<ferd@berfelsoft.com>
250 Ok
rcpt to:<info@gentoo.com>

You'll get errors right here if relaying is not allowed. If you do this on the mail server, you should get

250 Ok

If you do this from any other computer on the LAN or WAN you should get

554 <info@gentoo.com>: Relay access denied

You don't need to relay mail through your ISP's server but it's a good idea. Since you probably don't have reverse DNS set up for your mail server (you can't unless your ISP provides this service or unless they delegate it to you), some MTA's spam filters will reject your mail as potential spam (netscape.net is one example). To fix that add the following to your main.cf:

relayhost = smtp.isp.net

where smtp.isp.net is the hostname of your ISP's SMTP server. Then all mail sent through your Postfix server will be relayed first to the relayhost then to the final recipient.

[MasquedAvenger]

Awesome. This has been so thorougly helpful. Thank you Just one last question. Is it possible for someone to remotely spoof their IP and make postfix think that requests are coming from 127.0.0.1 when in fact it's coming from somewhere else? This is something I'm worried about as well.

James

[kpack]

To prevent spoofing, block the following networks inbound on eth0 using either iptables rules or a hardware firewall:

# Private addresses
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

# Loopback
127.0.0.0/8

# Multicast
224.0.0.0/3

# Used by disconnected DHCP clients
169.254.0.0/16