Setting up a postfix email server
When I set up an email server using postfix on ubuntu server, how do I make sure that it won't be an open relay??
Being an open relay means that you are accepting mail from unauthenticated users for domains that are not the domains you manage.
Postfix has some very simple config options to help: mynetworks and mynetworks_style between them dictate from which network addresses messages to any destination will be accepted. mydestination is used to specify which domains are domains that you manage (ie that you should accept messages for because they're yours).
So the very simplest setup looks like:
mydomain = yourexampledomain.com
mydestination = $myhostname, $mydomain
mynetworks = 127.0.0.1/32
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination
This will accept mail only:
- for myexampledomain.com and for the hostname of the host itself, from any machine that can reach your mail server
- from any client on the mail server (127.0.0.1/32), for any host, anywhere.
and will reject anything else.
That is the most basic setup I can come up with. You need to read the entries for mydomain, mydestination, mynetworks{_style} in postconf(5).
If you need to be able to accept mail from clients by any other criterion than network, such as say username and password or kerberos ticket, you need to read about SMTP_AUTH.
I believe you'll need to set the mynetworks_style
, mynetworks
, and relay_domains
settings in the Postfix configuration file. Basically the first two control which servers Postfix will accept mail from, and the last one controls which servers it will forward mail to. The exact settings depend on how you want your mail server configured (i.e. who is authorized to send emails through the server), but in general relay_domains
should be set to only the hostnames of the mail server itself (same as mydestinations
) and mynetworks_style
can be set to host
which means only accept emails from the local host itself.
There are some tests listed at http://articles.slicehost.com/2008/8/7/postfix-checking-for-an-open-relay that you can use to check whether your server is running an open relay. (Some of the links may be dead but I'm pretty sure at least one still works... don't remember which though)
Here's an excerpt from my server's Postfix config:
luser_relay = mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain mynetworks = 127.0.0.1/32 [server's IP address]/32 mynetworks_style = host myorigin = $mydomain relay_domains = $mydestination smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client sbl-xbl.spamhaus.org
Give this website this website a try. It will allow you to check that you've configured your mail server properly
Updated as the first website no longer works