I have a little problem. I am offering some clients access to my server in order to execute own scripts (of course in their own chroot environment, etc…). The problem which occured today: Some people gain telnet access to localhost on port 25 and are sending emails out in the world which is nearly an open relay 🙁
I am using postfix and it also requires authentication:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
But local scripts obviously do not need to be sasl authenticated. If a remove localhost from permit_mynetworks, some antispam routines are not working anymore…
So how to configure postfix in order to allow localhost delivering mails locally but not externally without authentication?
Any suggestions?
Best Answer
So your antispam routines are using localhost, and bad people are using localhost and postfix cant tell the difference.
Ban bad people or remove localhost from trusted network (
permit_mynetworks
) and configure your antispam to use something else. Or allow your antispam with smtpd_client_restrictionscheck_ccert_access
.Back to your question. You are asking for something like this:
But propably it wont work, because your antispam reinjects mail with external recipients. But it depends.
Give us more info about your antispam tools and may be we will able to help.
UDP:
Cant explain restriction classes better then official docs.
We define our restriction class
local_only
withsmtpd_restriction_classes = local_only
. Andsays "whenever this class is checked check check_recipient_access (Search the specified access(5) database for the resolved RCPT TO address, domain, parent domains, or localpart@, and execute the corresponding action.) first and reject mail otherwise. And
local_domains
file says "if its this.domain pass the check, if its that.domain pass the check".But we do not want to apply this restriction class to ALL emails. We want to apply it when sending host is localhost and remove
permit_mynetworks
rule. To do so we add check_client_access hash:/etc/postfix/client_access ( Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details.) to smtpd_recipient_restrictions. It says to check/etc/postfix/client_access
file and if itslocalhost
applylocal_only
restriction. It is exactly what we want to do.Hope it helps.
The mail flow is:
localhost
applylocal_only
restriction class)UPD2 I just found another option for smtpd_recipient_restrictions (and other self defined classes) you may be interested in