Block incoming mails; allow outgoing mails

emailpostfix

Our server hosts various domains, half of them using Google Apps for their e-mail and the other half simply does not use any domain e-mail accounts. However, the websites and applications (eg crons, firewall) on the server need to send out mail. For this purpose postfix was installed (Ubuntu 10.04). All works well.

However, analyzing the logs I see that there are a lot of failed incoming e-mails. Mainly because those domains that have no mail at this moment, still have some spam messages being sent to their domain. And as the DNS points to this server, they still show up here, taking up resources and clogging the log. So a few questions:

Can I simply change the DNS and remove the MX entries? I am rather afraid that the OUTGOING mails will more often fail, as external spam filters check for valid MX entries and see that these domains are not even supposed to send out mail. (I still want them to read @domain.com when sending it out). Or should a SPF record solve this problem?
Should I replace Postfix with something lighter/better equipped for just sending mail? All incoming mail software is currently unused.
Is there another way to make postfix outgoing-only, and avoid all of these log-entries?

Thanks!

Best Answer

Here is what I would do:

For the domains using Google Apps or some other 3rd party email service, set the MX records appropriately for that domain's email service. I would find it very interesting if you emails were still being presented to that server if the MX records for the domain point elsewhere. That would mean some checking up on what email addresses are arriving at your server for further investigation.

For your Google Apps clients, if you find that your outgoing emails (sent from the server via the server in PHP or some other means) are not being delivered to email addresses ending in the same domain as the hostname, try this:

Postifx disable local delivery

An example of this would be the server whose hostname getbunch.com might not deliver email to jesse@getbunch.com because it thinks that that address should be local. In reality, it's not local. Disabling the local delivery will force the server to send your email to the right place.

For domains that have NO email service, I would simply remove the MX records. This should keep emails from being presented to the server for delivery.

Another thing you could do is block port 25 using iptables :

/sbin/iptables -A INPUT -p tcp --destination-port 25 -j DROP

Hope that helps!

Related Solutions

Ubuntu – Postfix: Allow unauthenticated incoming mail, but only authenticated outgoing mail

As you have understood that to apply options in master.cf to override options in main.cf on a per-port basis.

To achieve your goal you want to place the restriction as smtpd_recipient_restrictions rather than smtpd_client_restrictions. The key is to reject_unauth_destination instead of just reject:

mydestination = aardvark.com, acme.com 
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

This prevents an unauthenticated client from sending to any domain you're not responsible for. In this context domains you're responsible for are more than just mydestination. See reject_unauth_destination in the manual.

Postfix check_policy_service – only checking incoming mail, ignoring internal and outgoing

You defined the policy check in smtpd_*_restrictions, therefore it will never be queried for mail generated locally, because this kind of mails is injected into the Postfix queue using the pickup(8) service. To circumvent this, you will need to modify master.cf and add a content_filter instance to the pickup(8) service (and of course, you will also need to add said content filtering instance, take a look at Content Filtering.

FWIW, I don't think it's worth the effort to do this. Nobody should be able to generate local mail on a mail gateway, and is not the central mail gateway, then you are limiting in the wrong place, anyways.

Best Answer

Related Solutions

Ubuntu – Postfix: Allow unauthenticated incoming mail, but only authenticated outgoing mail

Postfix check_policy_service – only checking incoming mail, ignoring internal and outgoing

Related Topic