# Postfix security

## NathanZachary

Hello all,

I have a question regarding Postfix smtpd security.  I have it so that Postfix will reject mail relaying if the smtpd user is not authenticated, but how do I go about it when it isn't a *relayed* message, but one to the same domain.  For instance, if I try:

```

$ telnet mail.myhost.com 587

Trying {IP ADDRESS}...

Connected to mail.myhost.com.

Escape character is '^]'.

220 mail.myhost.com ESMTP Postfix

ehlo mail.myhost.com

250-mail.myhost.com

250-PIPELINING

250-SIZE 50000000

250-VRFY

250-ETRN

250-AUTH CRAM-MD5 PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from: zach@myhost.com

250 2.1.0 Ok

rcpt to: someaddress@gmail.com

554 5.7.1 <someaddress@gmail.com>: Relay access denied

quit

221 2.0.0 Bye

Connection closed by foreign host.

```

That's what I would expect to happen.

However, if I try:

```

$ telnet mail.myhost.com 587

Trying {IP ADDRESS}...

Connected to mail.myhost.com.

Escape character is '^]'.

220 mail.myhost.com ESMTP Postfix

ehlo mail.myhost.com

250-mail.myhost.com

250-PIPELINING

250-SIZE 50000000

250-VRFY

250-ETRN

250-AUTH CRAM-MD5 PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from: zach@myhost.com

250 2.1.0 Ok

rcpt to: someoneelse@myhost.com

550 5.1.1 <someoneelse@myhost.com>: Recipient address rejected: User unknown in virtual mailbox table

rcpt to: abuse@myhost.com

250 2.1.5 Ok

data

354 End data with <CR><LF>.<CR><LF>

test mail

.

250 2.0.0 Ok: queued as E609A100069

quit

221 2.0.0 Bye

Connection closed by foreign host.

```

I see that it rejects if the recipient is unknown (again, which I would expect), but it allows me to send if the recipient is known... without authenticating with a password.

Is there something obvious that I'm missing?  My mail server isn't an open relay, but it allows for this type of interaction with smtpd, which I consider to be unwanted.

Thanks!

Cheers,

Nathan Zachary

----------

## eccerr0r

If mail.myhost.com is actually receiving mail for myhost.com, then you're really not relaying when sending to myhost.com - you are the endpoint.

What are you trying to accomplish here?  I had to do the same on my mail server (sendmail) because if someone sends mail to me, they can't necessarily authenticate before sending mail to me, even if it's a legitimate email relayed from another host.

It seems that you want either all mail to require authentication (which would stop you from receiving any mail unless you have another machine relaying mail to this machine and it can setup an authenticated session) or am I not understanding the problem here, which may very well be the case?

----------

## NathanZachary

I guess it just seems strange to me, because then anyone could connect to this mail server and send mail with completely spoofed headers and such.  I thought that there would be a way to require authentication even if it was going to an endpoint on the same mail server (not relaying).  Maybe I am the one that is misunderstanding it conceptually.

----------

## eccerr0r

Yes, unfortunately yes if someone knows an account on your endpoint server, you are stuck with that person being able to spoof headers and send mail to anyone there.  You don't trust other servers anyway, they could be fabricating headers too - pretty much only the last hop - yours - you can trust as well as the IP address of that last machine that connected to you.  Pretty much only secure mail (all servers must authenticate with each other) or whitelist is the only way to prevent spoofed headers.

Having these would completely break the peer to peer mail system described in the RFC.  I'm sure Google, Yahoo, Hotmail, etc. would love to kill all the small mail servers like ours by peering each other and restricting mail to our "insecure" machines, but luckily there are too many out there including businesses.

Then again they are already doing this by trying to make sure that their respective IM services beat out on email.  The younger population thinking "email" old and antiquated.  

Sigh.

----------

## papahuhn

NathanZachary, how did you configure  submission? Usually, its smtpd_client_restrictions are set to something like "permit_sasl_authenticated,reject". This way, the telneted mail to abuse@myhost.com wouldn't have been queued.

----------

## NathanZachary

@papahuhn,

I have the smtpd_client_restrictions set to:

```

submission inet n       -       n       -       -       smtpd

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_sasl_type=dovecot

  -o smtpd_sasl_path=private/auth

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

```

but for amavisd, I have:

```

localhost:10025 inet n  -       n       -       25      smtpd

  -o smtpd_client_restrictions=

```

I would think that makes sense, though.

Cheers,

Nathan Zachary

----------

## papahuhn

```

submission inet n       -       n       -       -       smtpd

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_sasl_type=dovecot

  -o smtpd_sasl_path=private/auth

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

```

I don't get it. Can  you set the verbose flag vor smtpd,  restart, try telnet again and look for "START Client host RESTRICTIONS" in  the logs?

----------

## magic919

Can you not achieve this with smtpd_recipient_restrictions?

Near the top do permit_sasl_authenticated

Lower down do check_sender_access and pop your own domain(s) in there.

----------

## gordonb3

This is not possible.

Submission is simply a mirror for port 25 to circumvent ISP blocking. Since remote MTA's do not have an account on your domain, no login method is implemented for delivery to the email domain that has been defined as local to the server. Therefore, if you want the server to only accept mail from authenticated users it must not have any local email domain defined. I.e. it should only relay, preferably through your main MTA that does have the local email domain defined.

----------

