Prev: postfix explicit logging all failures in maillog
Next: smtpd_banner question
From: Jonathan Tripathy on 21 Feb 2010 14:40


On 21/02/2010 19:34, Darren Pilgrim wrote:
> Jonathan Tripathy wrote:
>> Sorry I forgot to state that im only concerned with MY server here.
>> For example, I don't want someone to telnet to MY postfix server, and
>> give me(a)mydomain.com for both sender and receiver
>
> Require authentication, set up smtpd_sender_login_maps and use the
> reject_sender_login_mismatch restriction.

Yup, I'm already using all of that, however that only prevents spoofing
of real addresses. So for example:

MAIL FROM:<realaddress(a)mydomain.com>
RCPT TO:<realaddress(a)mydomain.com>

Would fail which is good, however:

MAIL FROML<NOTarealaddress(a)mydomain.com>
RCPT TO:<realaddress(a)mydomain.com>

would fail for an authenticated user (which is good), however it would
allow the mail through for a non-authenticated user...

From: Jonathan Tripathy on 21 Feb 2010 14:41


On 21/02/2010 19:39, LuKreme wrote:
> On 21-Feb-2010, at 12:22, Sahil Tandon wrote:
>>> Sorry I forgot to state that im only concerned with MY server here.
>>> For example, I don't want someone to telnet to MY postfix server,
>>> and give me(a)mydomain.com for both sender and receiver
>
> What's the matter with te SPF configuration you already have?
>

Good point, it does seem to be working well. It just that SPF breaks
email forwarding and I may not get emails from forwarding email servers..

From: Wietse Venema on 21 Feb 2010 15:41
Jonathan Tripathy:
[ Charset ISO-8859-1 unsupported, converting... ]
>
>
> On 21/02/2010 19:34, Darren Pilgrim wrote:
> > Jonathan Tripathy wrote:
> >> Sorry I forgot to state that im only concerned with MY server here.
> >> For example, I don't want someone to telnet to MY postfix server, and
> >> give me(a)mydomain.com for both sender and receiver
> >
> > Require authentication, set up smtpd_sender_login_maps and use the
> > reject_sender_login_mismatch restriction.
>
> Yup, I'm already using all of that, however that only prevents spoofing
> of real addresses. So for example:

You forgot to set an owner rule for @domain.

Wietse

From: Wietse Venema on 21 Feb 2010 15:43
Wietse Venema:
> Jonathan Tripathy:
> > On 21/02/2010 19:34, Darren Pilgrim wrote:
> > > Jonathan Tripathy wrote:
> > >> Sorry I forgot to state that im only concerned with MY server here.
> > >> For example, I don't want someone to telnet to MY postfix server, and
> > >> give me(a)mydomain.com for both sender and receiver
> > >
> > > Require authentication, set up smtpd_sender_login_maps and use the
> > > reject_sender_login_mismatch restriction.
> >
> > Yup, I'm already using all of that, however that only prevents spoofing
> > of real addresses. So for example:
>
> You forgot to set an owner rule for @domain.

That will also block mail from daemon(a)your.domain etc.

You can also reject non-existent senders with reject_unlisted_sender.

Wietse

From: Jonathan Tripathy on 21 Feb 2010 15:50

> You forgot to set an owner rule for @domain.
>
> Wietse
>

How would I do that? I'm not sure if this is relavent but I'm currently
using:

smtpd_sender_login_maps=mysql:/etc/postfix/mysql_login_maps.cf

and mysql_login_maps.cf is:

hosts = 127.0.0.1
user = <mysql username>
password = <mysql password>
dbname = mailserver

query = SELECT username FROM address_maps WHERE address='%s'

The above stops a logged in user using an address that doesn't belong to
him. I wish to make sure that all unauthenticated users can't send any
email originating from my domain, without using SPF. Sorta like just SPF
for my domain...

Thanks

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5
Prev: postfix explicit logging all failures in maillog
Next: smtpd_banner question