How can I disable sending mail through postfix smtp without auth
I just setup a mail server with postfix 2.6.6 and dovecot.
I have the auth related config in main.cf like below:
smtpd_tls_cert_file=/etc/httpd/ssl/mail.crt
smtpd_tls_key_file=/etc/httpd/ssl/mail.key
smtpd_use_tls=yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Now I can send and receive emails from my domain and outside normally which is good.
However, I found that I can easily send a mail without auth from remote using telnet like below, which means someone else could easily send spam mails to my domain.
Myhost:~/ z$ telnet mail.example.com 25
Trying 232.96.23.130...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[email protected]
250 2.1.0 Ok
rcpt to: [email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject:how much dust?
fdhjaklf
fdsahjk;
fdajshk
.
250 2.0.0 Ok: queued as 08B2C5883481
How can I secure postfix and disable that someone else can send mails without authentication?
Usually a mail server has two purposes:
- Allowing its users to send mail out to other mail servers on the internet. This part you have done just as you should.
- Receiving mails for the users whose domains it is supposed to serve.
If you only want your server to be used to send outgoing mails, but not to receive incoming mails, you need to change the mydestination parameter in your main.cf and remove $mydomain from it. That way it will not accept any emails addressed to your domains. There is more information at the postfix documentation site.