SMTP Authentication for Local Domain in Postfix

Shahab Vahabzadeh sh.vahabzadeh at gmail.com
Thu Aug 15 10:45:15 UTC 2013


Dear friends,
I have problem with my postfix configuration, I have enable SASL for
postfix and now authentication works well for my clients but right now
anyboy can send email from my local domain to local domain without
authentication and cause of that I have lots of attacks.
How can I force that if sender is my localdomain it must authenticate?!
Here is my postfix configuration:

main.cf:

smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_client_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_unauth_pipelining,
>     reject_rbl_client zen.spamhaus.org,
> smtpd_helo_restrictions =
>     permit_mynetworks,
>     #reject_non_fqdn_hostname,
>     reject_invalid_hostname
> smtpd_sender_restriction =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     check_sender_access hash:/etc/postfix/access_table
>     reject_unknown_sender_domain,
>     reject_non_fqdn_sender
> smtpd_recipient_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_invalid_hostname,
>     reject_unauth_pipelining,
>     reject_non_fqdn_sender,
>     reject_unknown_sender_domain,
>     reject_non_fqdn_recipient,
>     reject_unknown_recipient_domain,
>     reject_unverified_recipient,
>     reject_unauth_destination,
>     check_policy_service unix:private/policy-spf,
>     permit


master.cf:

smtp      inet  n       -       -       -       -       smtpd
>   -o content_filter=spamassassin
> submission inet n       -       -       -       -       smtpd
>   -o smtpd_tls_security_level=may
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
>   -o content_filter=spamassassin
> smtps     inet  n       -       -       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
> spamassassin
>           unix  -       n       n       -       -       pipe
>    user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender}
> ${recipient}
> policy-spf  unix  -       n       n       -       -       spawn
>     user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl


access_table:

mydomain.com        REJECT You're not me!



Thanks

-- 
Regards,
Shahab Vahabzadeh, Network Engineer and System Administrator

Cell Phone: +1 (415) 871 0742
PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90


More information about the NANOG mailing list