Web Hosting Talk






PDA

View Full Version : Securing postfix / relaying

gandmasti.com
03-19-2001, 07:56 AM
Hi,

Any ideas on how I can secure postfix so that people who have logged in via POP can send their mail using my server?

Shri
webfors
03-25-2001, 07:08 PM
Directly from http://postfix.org/faq.html:

--------------------------
Relaying mail for mobile users
I have Postfix setup on a machine but I'd like to have a select group of Internet users be able to relay mail through it. I'd either like to base the relaying on IP address (e.g., a 256-block for dynamic IP people) or on hostname (whatever.dialup.isp.com)
The most preferable way is to have users submit mail via some authenticated protocol instead of plain old SMTP.

The next best way is to use plain old SMTP and to authenticate the user first, for example, with a "please login via POP before using SMTP" scheme. In that case, some software maintains a Postfix-compatible access table with client IP address information. In order to make this work you need Postfix version 19991231 or later.


/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
check_client_access hash:/etc/postfix/client_access
check_relay_domains

/etc/postfix/client_access:
4.3.2.1 OK
5.4.3.2 987654321

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what map types Postfix supports, use the command postconf -m.

N.B. Some non-Postfix software such as DRAC uses btree files instead of hash files. In that case, you will have to adjust the above check_client_access restriction accordingly.

A less preferable way is based on client IP address (for example, a 256-block) or DNS hostname (for example, whatever.pop.isp.com). This scheme does not authenticate the user. If you use IP/DNS-based relay access control, pray that no customer with that same ISP points their spam software at your machine, or else you may end up on internet-wide black lists.

The least preferable way is based on the sender address. It is trivially easy to spoof by anyone who ever received mail from your site. If you use sender address access control, pray that no spammer ever finds out the address of your users.


/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
check_client_access hash:/etc/postfix/client_access
check_sender_access hash:/etc/postfix/sender_access
check_relay_domains

/etc/postfix/client_access:
11.22.33 OK
dialup.isp.com OK

/etc/postfix/sender_access:
joe@my.domain OK
blow@my.domain OK


--------------------------------------------------------------------------------

:)