Postfix allows unauthenticated users to send emails
Solution 1
It is because you might have tried to send mail from the server(i.e telnet localhost 25
) itself and in your smtpd_recipient_restrictions
permit_mynetworks
comes before permit_sasl_authenticated
and so the clients listed in mynetworks
(localhost
in your case) need not authenticate. Rearrange the restrictions to achieve what you want.
More info: postfix docs
Edit 1:
Thanks for the telnet and postfix logs. postfix will not require authentication to receive mails for the domains it handle under mydestination
,relay_domains
virtual_alias_domains
and virtual_mailbox_domains
. Users will not be able to relay
to external domains(i.e the domains that are remote. eg. gmail.com) unless they authenticate and this is the expected behaviour.
Solution 2
You can force users to authenticate before send e-mails, changing not on the main.conf but on master.conf, adding the check on submission, for example, and reject everything:
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
This was 4 years ago, but maybe will help new people.
Related videos on Youtube
Kimmax
Updated on September 18, 2022Comments
-
Kimmax almost 2 years
Hey I set up Postfix to use
cyrus
SASL implantation and I'm able to login and send emails, but I can still telnet on port 25 and send mails even if I'm not authenticated, which I whish to deny.smtp_sasl
part of mymain.cf
:smtpd_sasl_path = smtpd smtpd_sasl_type = cyrus smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client, sbl-xbl.spamhaus.org, reject_rbl_client, bl.spamcop.net, reject_rbl_client, list.dsbl.org, reject_rbl_client, rbl.mail-abuse.org, reject_rbl_client, spamsources.fabel.dk
Full config here
Did I forgot something?
Telnet Log:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.04.20 16:10:32 =~=~=~=~=~=~=~=~=~=~=~= 220 the999ers.eu ESMTP Postfix (Debian/GNU) ehlo kim-nuernberger.eu 250-the999ers.eu 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] DATA 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> Subject: test This is a test mail . 250 2.0.0 Ok: queued as B82481DF1CE quit 221 2.0.0 Bye
this was captured from my local pc and I connected via my domain
kim-nuernberger.eu
.Postfix log (/var/log/mail.log)
Apr 20 16:31:37 The999ers postfix/smtpd[16420]: connect from unknown[2a03:4000:2:206::1] Apr 20 16:31:57 The999ers postfix/smtpd[16420]: 25CED1DF1CE: client=unknown[2a03:4000:2:206::1] Apr 20 16:32:13 The999ers postfix/cleanup[16425]: 25CED1DF1CE: message-id=<[email protected]> Apr 20 16:32:13 The999ers postfix/qmgr[16407]: 25CED1DF1CE: from=<[email protected]>, size=385, nrcpt=1 (queue active) Apr 20 16:32:14 The999ers postfix/smtp[16426]: 25CED1DF1CE: to=<[email protected]>, orig_to=<[email protected]>, relay=mx4.hotmail.com[65.55.37.104]:25, delay=25, delays=23/0.01/0.47/1.1, dsn=2.0.0, status=sent (250 <[email protected]> Queued mail for delivery) Apr 20 16:32:14 The999ers postfix/qmgr[16407]: 25CED1DF1CE: removed Apr 20 16:32:14 The999ers postfix/smtpd[16420]: disconnect from unknown[2a03:4000:2:206::1]
Note: I updated the log after fixing some unnecessary problems.
-
user1686 about 10 yearsWhat address are you "telnetting" from, and to?
-
Kimmax about 10 years@grawity I telnet from my local adress to my domain, or did you mean somethig different?
-
-
Kimmax about 10 yearsWell I open the telnet connection from my local pc and connect via the domain (kim-nuernberger.eu in this case) to the server, so this shouldn't happen, right?
-
clement about 10 yearsCan you give the IP address or it's prefix of your local pc and your server?
-
Kimmax about 10 yearsEven removing
permit_mynetworks
doesn't work at all.. -
clement about 10 yearscan you update the question with the
telnet
command that worked and the postfix log lines generated for the same? -
Kimmax about 10 yearsOkay I added my local telnet log and the postfix log from the server.
-
clement about 10 yearsHey postfix will not require authentication to receive mails for the domains it handle under
mydestination
,relay_domains
virtual_alias_domains
andvirtual_mailbox_domains
. Users will not be able to relay to external domains(i.e the domains that are remote. eg. gmail.com) unless they authenticate and this is the expected behaviour. -
Kimmax about 10 yearsOkay I got it - I was sending mails to the server it self the whole time and didn't tried another relay.. When you write a new answer I will accept it and give it the bounty. Thank you!
-
Kimmax over 5 yearsThanks for keeping the next one in mind :)