Postfix 3.1.0: how to prevent anonymous users from sending mail

dovecotpostfix

  • OS: Linux Ubuntu 16.04
  • Postfix version 3.1.0
  • Dovecot version 2.2.22

The situation

We have mail system based on Postfix + Dovecot on server running Ubuntu 16.04
The system almost well-configured and provides following features without any problems:

  • Delivering mail (from any location)
  • Sending mail (to any location)
  • Provides TLS encryption for mail
  • Provides SASL users auth over 465 port with SSL (postfix smtpd_sasl_type = dovecot)

'to/from any location' meaning we can send/receive mail to/from senders like gmail.com, etc.

Also using smtpd_sender_login_maps with reject_sender_login_mismatch for smtpd_sender_restrictions.

But there's 'little' problem: users can connect using any modern mail app to our server over 25 port without auth and send mail to anyone using not existing address as 'sender address'.

We want to permit sending mail through our server for authenticated users only and reject outgoing mail from anonymous users. Is it possible?

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
default_process_limit = 100
disable_vrfy_command = yes
header_size_limit = 51200
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 10485760
mydestination = $myhostname, localhost.$mydomain $mydomain
myhostname = ourdomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = ourdomain.com
queue_minfree = 20971520
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = AL Mail Service
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
smtpd_command_filter = pcre:/usr/local/etc/postfix/command_filter
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/mailsbase
smtpd_sender_restrictions = reject_unauth_destination reject_unknown_sender_domain reject_sender_login_mismatch
smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Best Answer

Solution

Problem solved by adding to main.cf compatibility_level = 2 So, this parameter with couple of another (see postconf -n output from my question above) made this task completely done. Additionally I made some small changes to main.cf, e.g. smtpd_sender_restrictions sequence, but it's just reject_sender_login_mismatch calibration.

Related Topic