Loading ...
Sorry, an error occurred while loading the content.

Re: virtual_alias_domains accept mail for unknown domain

Expand Messages
  • Victor Duchovni
    ... access(5) by default does parent domain matching, but you have a much deeper problem. ... No, you need to stop allowing relay access by sender address on
    Message 1 of 8 , Oct 5, 2006
    • 0 Attachment
      On Thu, Oct 05, 2006 at 10:21:03AM +0700, beast wrote:

      > >> check_recipient_access hash:/etc/postfix/local_domains,
      > >>
      > >
      > > This likely permits the domain(s) in question. See
      > > access(5).
      >
      > Correct, it contains all (acceptable) local domains as well as :
      > example.com OK

      access(5) by default does parent domain matching, but you have a much
      deeper problem.

      > Do I need to remove smtpd_access_maps from
      > parent_domain_matches_subdomains, what would be the effect other than I
      > need to explicitly to pt dot to match the subdomains?

      No, you need to stop allowing relay access by sender address on an
      MTA reachable via the public Internet. Your server is an open relay.

      > >> check_sender_access ldap:outbound_restriction,
      > >>
      > >
      > > This MUST not contain any "OK" rules, or you are an open relay,
      > > but since it is pointless (given the "reject" below) unless
      > > it does contain "OK" rules, it is wrong either way. Fix this
      > > ASAP.
      > >
      > root# postmap -q 'beast@...' ldap:outbound_restriction
      > RELAY

      Anyone forging the unobfuscated address is able to relay through your
      server.

      > This was an internal server, which only accept mail submision using smtp
      > auth. Any user which has RELAY access will has permission to send email
      > to the internet, otherwise it will reject.
      > Did this still open a hole for open relay?

      Yes, because your server is also connected to the public Internet.

      > On the external interface, I have tese config (master.cf) :
      >
      > 192.168.0.2:smtp inet n - n - - smtpd
      > -o smtpd_use_tls=no
      > -o smtpd_sasl_auth_enable=no
      > -o content_filter=viruswall:127.0.0.1:2500
      > -o smtpd_client_restrictions=
      > -o smtpd_sender_restrictions=

      These don't repair the inappropriate recipient rules. You need
      something like:

      "-o smtpd_recipient_restrictions=reject_unauth_destination"

      provided that on the external interface there are no clients that
      may legitimately submit outbound email.


      > -o disable_dns_lookups=yes
      > -o syslog_facility=local5
      > -o syslog_name=postext

      These have no effect and should be removed.

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    Your message has been successfully submitted and would be delivered to recipients shortly.