View previous topic :: View next topic |
Author |
Message |
asankaan n00b
Joined: 17 Jul 2006 Posts: 58
|
Posted: Sun Oct 17, 2010 1:39 pm Post subject: Postfix Configuration |
|
|
Hi,
I'm configuring a mail server ( Postfix 2.6) on a gentoo box.
For SMTP authentication, i configured dovecot (my clients use pop access) with sasl & authentication works fine.
Currently, a user can send emails impersonating any valid username (can use MAIL FROM: anyusername@mydomain) by telnetting to port 25 and send emails.
Is it possible to stop this?
In relay controlling I want to only allow relay to authenticated users in my local network also.
Thanks in advance.
asankaan |
|
Back to top |
|
|
slis Retired Dev
Joined: 11 Oct 2010 Posts: 67 Location: Limanowa
|
Posted: Sun Oct 17, 2010 1:54 pm Post subject: |
|
|
In my opinion, it's not a good idea to set up mail server, when you don't know how to configure it. Maybe try to set up it on virtual machine first, and check, how it works?
Anyway, there is smtpd_recipient_restrictions directive (check in postfix doc for details), and there you tell postfix daemon, what to do with messages.
There is list of rules, to which postfix tries to match each message, and when matched, do what they say.
For example:
Code: |
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_unverified_recipient
|
You have to set up auth module first:
Code: |
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
|
Remember to setup relay domain correctly.
And one more: I don't know, if I understand you correctly, but anyone can send mail TO your domain, thats the idea - I send mail with my mailserver, which connects to yours and then puts e-mail. If you want to disable this, then how can I send e-mail to you?
Regards |
|
Back to top |
|
|
asankaan n00b
Joined: 17 Jul 2006 Posts: 58
|
Posted: Sun Oct 17, 2010 2:16 pm Post subject: |
|
|
Thank you for the reply.
Quote: |
And one more: I don't know, if I understand you correctly, but anyone can send mail TO your domain, thats the idea - I send mail with my mailserver, which connects to yours and then puts e-mail. If you want to disable this, then how can I send e-mail to you?
|
your point is ok, it is true when you send emails to me.
What i meant was:
suppose there are two users A & B in my network.
'A' telnets to my server & and issue SMTP commands & he use MAIL FROM: B@mydomain & send to someone else (RCPT To: zz@zzz.zz).
The recipient sees that he has received a mail from B@mydomain. But it has sent by 'A' impersonating 'B'.
Hope my question is clear now. |
|
Back to top |
|
|
slis Retired Dev
Joined: 11 Oct 2010 Posts: 67 Location: Limanowa
|
Posted: Sun Oct 17, 2010 2:28 pm Post subject: |
|
|
That is authorization for. Anyone, who's sending e-mail to domain, that is not listed in relay_domain, got "Relay access denied", unless he authorize first.
Then, when "A" telnets to your server, he still can send e-mail to B@mydomain, but he can't to any other. Unless he knows username and password. |
|
Back to top |
|
|
asankaan n00b
Joined: 17 Jul 2006 Posts: 58
|
Posted: Sun Oct 17, 2010 2:44 pm Post subject: |
|
|
Does sasl or any other mechanism provide that authorization?
Whatever the mechanism should verify the MAIL FROM address with the authenticated username.
Else, i can login as one user & send as other user using any sender name using smtp commands. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|