Help, still an open relay.?
in [Postfix]
|
Prev: Pop-Before-Smtp let spam through Answered More on Firewall withpostfix?
Next: What does postfix need to be in a dmz zone?
From: Victor Duchovni on 6 Apr 2010 17:57 On Tue, Apr 06, 2010 at 01:21:26PM -0800, M M wrote: > [...] my server is an open relay according to online tests. > > mynetworks = 127.0.0.1/8, 198.100.50.0/24 Make sure external clients are not NAT translated into this address space. > virtual_mailbox_domains = > mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf Make sure this table does not match all lookup keys, report the output of: $ postmap -q a.test mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf > virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf Make sure this table does not match all lookup keys, report the output of: $ postmap -q a.test \ mysql:/etc/postfix/mysql-virtual-alias-maps.cf \ mysql:/etc/postfix/mysql-email2email.cf > smtpd_recipient_restrictions = > reject_invalid_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > permit_mynetworks, > reject_unauth_destination, > permit_sasl_authenticated, > reject_unauth_pipelining, The "permit_sasl_authenticated" is pretty useless after "reject_unauth_destination". With this, the only way for you to be an "open relay" (show logs of messages you accepted that should not have been accepted) is if mynetworks is wrong (NAT?) or the domain lists (mydestination, virtual_alias_domains, virtual_mailbox_domains, ...) are wrong. My bet is on misconfigured SQL queries. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: M M on 9 Apr 2010 08:58
Solved!. Thanks The problem was external clients were NAT translated. Had my network guy undo it and its working fine now! Thanks again! P.S - Victor, what is the best practice to have smtpd_recipient_restrictions? in which order? > Date: Tue, 6 Apr 2010 17:57:57 -0400 > From: Victor.Duchovni(a)morganstanley.com > To: postfix-users(a)postfix.org > Subject: Re: Help, still an open relay.? > > On Tue, Apr 06, 2010 at 01:21:26PM -0800, M M wrote: > >> [...] my server is an open relay according to online tests. >> >> mynetworks = 127.0.0.1/8, 198.100.50.0/24 > > Make sure external clients are not NAT translated into this address space.. > >> virtual_mailbox_domains = >> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf > > Make sure this table does not match all lookup keys, report the output of: > > $ postmap -q a.test mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf > >> virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf > > Make sure this table does not match all lookup keys, report the output of: > > $ postmap -q a.test \ > mysql:/etc/postfix/mysql-virtual-alias-maps.cf \ > mysql:/etc/postfix/mysql-email2email.cf > >> smtpd_recipient_restrictions = >> reject_invalid_hostname, >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, >> permit_mynetworks, >> reject_unauth_destination, >> permit_sasl_authenticated, >> reject_unauth_pipelining, > > The "permit_sasl_authenticated" is pretty useless after > "reject_unauth_destination". With this, the only way for you to be an > "open relay" (show logs of messages you accepted that should not have > been accepted) is if mynetworks is wrong (NAT?) or the domain lists > (mydestination, virtual_alias_domains, virtual_mailbox_domains, ...) > are wrong. My bet is on misconfigured SQL queries. > > -- > Viktor. > > P.S. Morgan Stanley is looking for a New York City based, Senior Unix > system/email administrator to architect and sustain our perimeter email > environment. If you are interested, please drop me a note. _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox.. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 |