I have postfix installed and configured so that only authenticated user can relay. If I test it with telnet this seems to work
root@mx3:/var/log# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mx3.xxx.ch ESMTP Postfix (Debian/GNU)
ehlo xxx.ch
250-mx3.zoee.ch
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:test@xxx.ch
250 2.1.0 Ok
rcpt to:chris@sanc.ch
554 5.7.1 <chris@sanc.ch>: Relay access denied
But I can still use mailx without authentication. Also with php's mail
echo "test" | mailx -s test chris@sanc.ch
May 16 10:58:21 mx3 postfix/pickup[10232]: D9634C00B1: uid=0
from=<root> May 16 10:58:21 mx3 postfix/cleanup[10273]: D9634C00B1:
message-id=<20130516085821.D9634C00B1@mx3.xxx.ch> May 16 10:58:21 mx3
postfix/qmgr[10233]: D9634C00B1: from=<root@xxx.ch>, size=275, nrcpt=1
(queue active) May 16 10:58:22 mx3 postfix/smtp[10274]: D9634C00B1:
to=<chris@sanc.ch>, relay=mx.sanc.ch[80.219.217.116]:25, delay=0.68,
delays=0.11/0.01/0.48/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok:
queued as BCA917F9A7) May 16 10:58:22 mx3 postfix/qmgr[10233]:
D9634C00B1: removed
This is my config:
myhostname = mx3.xxx.ch
mydomain = xxx.ch
myorigin = $mydomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mx3.xxx.ch, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,check_relay_domains
Any idea how I can prevent people sending email without authenticating?
Best Answer
You've set your server up to require authentication when the mail is sent using SMTP. However, when you're using mailx, you're bypassing SMTP and injecting the mail directly. The same goes for the php script - it's not using SMTP, it's using the local mail agent on the local machine. Usually you do want that agent to be able to send mail, since it's the program used by e.g. cron to send information about problems occurring on the server.
As far as I know you can't require authentication from mails sent using sendmail/postdrop/mailx, but you can restrict who is allowed to use it, using
authorized_submit_users
. Default there is "anyone", you can replace it with a list of username or a lookup. So if you want root to be able to send mails (which is certainly recommended!), but nobody else, the line would beThere's more information at the postfix docs