I've got a Postfix/Courier mail server (Authenticated with SASL/MySQL) all according to this tutorial. I'm currently running my server on Debian 6, it is a VPS. It works well as far as I can see but I can't seem to require authentication for inbound email sending. If I send an email from Outlook with SMTP authentication disabled to myself, everything happens and I'm not rejected, the log on the server tells me this:
Dec 19 09:39:33 new postfix/smtpd[20439]: connect from unknown[****]
Dec 19 09:39:33 new postfix/smtpd[20439]: 7FF1E469840: client=unknown[****]
Dec 19 09:39:33 new postfix/cleanup[20444]: 7FF1E469840: message-id=<000c01cefc31$41319a90$c394cfb0$@email@mydomain>
Dec 19 09:39:33 new postfix/qmgr[20429]: 7FF1E469840: from=<email@mydomain>, size=2730, nrcpt=1 (queue active)
Dec 19 09:39:33 new postfix/virtual[20445]: 7FF1E469840: to=<email@mydomain>, relay=virtual, delay=0.49, delays=0.4/0.08/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Dec 19 09:39:33 new postfix/qmgr[20429]: 7FF1E469840: removed
Dec 19 09:39:36 new postfix/smtpd[20439]: disconnect from unknown[****]
**** indicates the IP address of the email client
But if I try to send an email to an external domain, for example a gmail address, the email, as expected, is rejected and bounces back:
Your message did not reach some or all of the intended recipients.
Subject:
Sent: 19/12/2013 9:49 a.m.
The following recipient(s) cannot be reached:
'email@external.domain' on 19/12/2013 9:49 a.m.
Server error: '554 5.7.1 <email@external.domain>: Relay access denied'
The log spews out some stuff about rejected authentication as well (which is to be expected)
Dec 19 09:48:34 new postfix/smtpd[20449]: connect from unknown[****]
Dec 19 09:48:34 new postfix/smtpd[20449]: NOQUEUE: reject: RCPT from unknown[****]: 554 5.7.1 <email@external.domain>: Relay access denied; from=<email@mydomain> to=<email@external.domain> proto=ESMTP helo=<MyPC>
Dec 19 09:48:36 new postfix/smtpd[20449]: disconnect from unknown[****]
If I enable SMTP authentication on my email client (Outlook), everything works as expected.
Is there actually some authentication going on that I'm not seeing or is this acting as an open relay for internal emails? How do I force authentication for all email if this is the case?
My main.cf is:
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
broken_sasl_auth_clients = yes
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
Best Answer
Your server is not an open relay. It is set up to allow three different types of mail:
If the mail doesn't match one of the above, then the mailserver will reject it, even if the spammer puts some fake address in your domain as the sender address.