On Thu, Oct 05, 2006 at 10:21:03AM +0700, beast wrote:
> >> check_recipient_access hash:/etc/postfix/local_domains,
> > This likely permits the domain(s) in question. See
> > access(5).
> Correct, it contains all (acceptable) local domains as well as :
> example.com OK
access(5) by default does parent domain matching, but you have a much
> Do I need to remove smtpd_access_maps from
> parent_domain_matches_subdomains, what would be the effect other than I
> need to explicitly to pt dot to match the subdomains?
No, you need to stop allowing relay access by sender address on an
MTA reachable via the public Internet. Your server is an open relay.
> >> check_sender_access ldap:outbound_restriction,
> > This MUST not contain any "OK" rules, or you are an open relay,
> > but since it is pointless (given the "reject" below) unless
> > it does contain "OK" rules, it is wrong either way. Fix this
> > ASAP.
> root# postmap -q 'beast@...' ldap:outbound_restriction
Anyone forging the unobfuscated address is able to relay through your
> This was an internal server, which only accept mail submision using smtp
> auth. Any user which has RELAY access will has permission to send email
> to the internet, otherwise it will reject.
> Did this still open a hole for open relay?
Yes, because your server is also connected to the public Internet.
> On the external interface, I have tese config (master.cf) :
> 192.168.0.2:smtp inet n - n - - smtpd
> -o smtpd_use_tls=no
> -o smtpd_sasl_auth_enable=no
> -o content_filter=viruswall:127.0.0.1:2500
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
These don't repair the inappropriate recipient rules. You need
provided that on the external interface there are no clients that
may legitimately submit outbound email.
> -o disable_dns_lookups=yes
> -o syslog_facility=local5
> -o syslog_name=postext
These have no effect and should be removed.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
or click the link below:
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.