I have an SMTP relay that relays to our email forwarding server but currently it's accepting mail from all sorts of nasty spammers and our email forwarding host have (rightly) suspended the forwarding until we can lock things down a bit more. I'd therefore like to lock down this relay so that only emails with a specific 'from' value are accepted as a good start.
As per the Q-A in Rejecting unlisted senders in Postfix, I've tried setting this in main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/acl_unknown_permited
reject_unlisted_sender
..and making a new file /etc/postfix/acl_unknown_permited with the following content:
[email protected] permit
…with the appropriate server name.
This doesn't appear to be rejecting email though as setting the sender address to something outside of [email protected] like [email protected] is not rejected.
Is there another setting that could be overriding what I've set here?
The only thing I can think might be going awry at this point is the target of our relay is currently deferring email send attempts. Could that be masking the issue (I was expecting the rejection to happen before we hit the following error and I'm wary to open up the next stage until we've fully tied down the relay)?
Apr 25 22:13:37 smtp-relay postfix/smtp[447151]: BE0FB4247C: to=<[email protected]>, relay=email.forwarder.com [X.X.X.X]:587, delay=0.29, delays=0.09/0.02/0.17/0, dsn=4.0.0, status=deferred (SASL authentication failed; server email.forwarder.com [X.X.X.X] said: 535 Too many failed login requests from Y.Y.Y.Y. Try again later. #MS-ST-D)
Best Answer
Sounds like the beginning of a larger reevaluation, so lets start with two items:
Postfix SMTPd restrictions are enforced in the SMTP daemon: once, while choosing whether to accept submitted mail and queue it, or whether to reject it. After placing additional restrictions on newly accepted mail, you still have to manually sort out unwanted mail already accepted to your queue. Run
postqueue -pto produce a listing of what the queue currently looks like. If you cannot easily determine that each and every queue item is unauthorized, you will find ways to separate the wheat from the chaff by looking uppostsuperinstructions.Just placing restrictions on acceptable envelope senders may have little or no impact on how much spam you relay - spammers could likely still send mail using any header from address and any content. You likely want to enforce substantial additional restrictions, such as requiring sender to authenticate, or requiring mail to originate from specific networks (IPv4/IPv6) under your control (often done via setting
mynetworks).