Hey all,

I'm just sending a message out asking if there's a way to disable any foreign (coming from outside of my server) SMTP access and restrict it to local access only? So for example, people could use webmail and PHP for SMTP access because they are both on the server however any program or e-mail client can't access it.

Is there a way to do this or even have SMTP authentication? I can't seem to find it in the Postfix docs.

Thanks,
Todd

Are you saying that your Postfix server never receives mail from the outside world? That it isn't the MX for any domain at all? Please confirm.

Re auth... Google: postfix auth

And the following link is #2: http://www.postfix.org/SASL_README.html

Personally I prefer Dovecot for pop/imap and auth. Run the following to see what choices you have:

% postconf -a
dovecot

And then follow the instructions for that auth type. In my case:

http://www.postfix.org/SASL_README.html#server_dovecot

No, Postfix is setup to receive outside e-mail but I was wondering if there's a way to disable SMTP access to prevent spamming with my server.

No, Postfix is setup to receive outside e-mail but I was wondering if there's a way to disable SMTP access to prevent spamming with my server.

No, you can't. The outside world *only* gets its messages to you - legitimate and Spam - via SMTP.

Messages from the outside world come to your Postfix server via the Simple Mail Transfer Protocol. SMTP. Example:

Your-user@yourdomain.com mails Becky in England (who is not one of your users).

Becky replies. That reply requires Becky's ISP's mail server to:
a) look up yourdomain.com via DNS to find out what it's mail exchanger (MX) record is
b) make a connection, a SMTP connection, to your MX
c) make it past any anti-spam defences you have set up in Postfix and if successful transmit the message payload.
d) Your Postfix server completes the delivery of the message to the users Maildir (more than likely) or hands it off to another process (such as Dovecot) to complete the delivery (not uncommon either)

Note step B. If you shut off SMTP from the outside world, you shut off all mail from the outside world, good, bad or indifferent.

I'm assuming that you aren't managing a ton of domains and a truck load of users. If this is the case I have good news for you - in that environment it is easily possible to configure Postfix so that the vast majority of Spam connections to your SMTP server (Postfix) are blocked. Shunned. Door-slammed on them.

I'm not suggesting the solution I have in mind for you is designed only for small environments - far from it. An experienced mail admin would find it possible to extend the same protection to a very large and diverse group of users; the key difference is with a large diverse group of users often needs are quite different and you have to implement more user-driven choice in your solutions. In a smaller environment often you get to make all the choices for all, and that frequently makes things "easier".

Install and configure policyd-weight.

http://www.policyd-weight.org/

It is a single file Perl daemon plus a configuration file. The defaults will immediately improve your anti-spam defences. You can tune it, add more - whatever - but just get the basics in. It isn't hard to configure Postfix to use this and if you get stuck you can raise a thread here or reply to this one.

I run a number of mail servers - all Postfix - and policyd-weight is a key feature on all of them. In fact one server recently I disabled my spam content filters while doing an upgrade; the content filter is only used to file spam into a "Junk" folder, not for blocking, because I don't need to block spam, we get so little thanks to a well configured Postfix and policyd-weight.

In addition to policyd-weight you'll want to fine tune your Postfix setup to reject senders under certain conditions. I think that should be step two - deal with policyd-weight first. Your users, and your server, will thank you.

Thanks very much mwatkins! I think I understand more about how Postfix works in that respect to SMTP. I thought it was more of an add-on to procmail or sendmail. ;)

I wasn't sure if this would shut off SMTP access or limit certain users since there were people who used a POP client can just typed in my SMTP address to use it for sending out spam. I firewalled their IPs. I'll check out policyd-weight and see how it works.

Thanks very much mwatkins! I think I understand more about how Postfix works in that respect to SMTP. I thought it was more of an add-on to procmail or sendmail. ;)

Postfix is a complete replacement for sendmail, and a very good one at that. Configuring it properly does require some research and self-education to be sure, but then again, so does sendmail and Postfix is certainly easier to configure to do advanced things than sendmail is.

I wasn't sure if this would shut off SMTP access or limit certain users since there were people who used a POP client can just typed in my SMTP address to use it for sending out spam. I firewalled their IPs. I'll check out policyd-weight and see how it works.

I'm sure you are on something of a learning curve here; what you need to do is get familiar with how the pieces fit together and avoid jumping to conclusions about how one piece affects the other, particularly as it can lead those who might offer advice and support down the wrong path. Better to list symptoms and provide log snippets than offer a conclusion. There are a lot of pieces to be sure but in time you'll be a master I'm sure.

The authentication issue you hint at - are you saying that even a failed POP session grants them access? i.e. some spammer attempts a pop connect, it fails, but that opens the door to your postfix for them to send spam? Maybe you could provide some sanitized log snippets showing the relevant connections and subsequent spam sessions.

Regardless, there certainly are better auth methods than pop before smtp - do check out the Postfix docs on this.