I'm new to the world of mail server's and have been working on setting up my own via Postfix on Ubuntu 11.10. So far, I have SASL authentication working over TLS so that's good; I'm worrying about security now.
In short: I want Postfix to accept all unauthenticated incoming mail, but only allow authenticated outgoing mail. This also makes me wonder if I have STARTTLS and TLS support on ports 465 and 587, do I still need to listen on port 25? Will mail servers try to deliver mail on port 587 if 25 is closed?
But back to the allow unauthenticated incoming, but only authenticated outgoing, I tried adding
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
to the smtp line in my master.cf
file, but then that blocks unauthenticated incoming mail. Is there a way to only allow incoming on port 25, and leave ports 465/587 for outgoing only?
I'm not sure what good it would do, but I can post the rest of my config if necessary. Any help is greatly appreciated since I'm new to all this and it's still confusing. Thank you!
Best Answer
As you have understood that to apply options in
master.cf
to override options inmain.cf
on a per-port basis.To achieve your goal you want to place the restriction as
smtpd_recipient_restrictions
rather thansmtpd_client_restrictions
. The key is toreject_unauth_destination
instead of justreject
:This prevents an unauthenticated client from sending to any domain you're not responsible for. In this context domains you're responsible for are more than just
mydestination
. See reject_unauth_destination in the manual.