postfix : how to prevent open relay?

Postfix by default installation allows emails can be sent without authentication. So anyone can send email with any email address using postfix server with default settings. This will allow spammers to use your servers to send emails and even malware /virus. Receiver will see your server as the MTA and will result ip in spam list.

There are three main curtial settings in /etc/postfix/main.cf:

smtpd_sender_restrictions: Restrict sender for sending email only if given criteria matched. Best two options are reject_unknown_sender_domain and permit_sasl_autheticated. Which only allows domains in your servers are allowed to send emails and authentication is required to send email. You can also add more options as below:

smtpd_sender_restrictions =
        reject_sender_login_mismatch,
        reject_non_fqdn_sender,
        reject_unlisted_sender,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unknown_sender_domain,
    reject_unauth_pipelining

smtpd_recipient_restrictions: This options allow to filter incoming emails based on criteria which will help to minimize spam emails: Some of the important options are: reject_non_fqdn_recipient, reject_unlisted_reciepient, permit_sasl_authenticated and reject_invalid_hostname. More options can be added as follows.

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unlisted_recipient
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_relay_restrictions: Prevent others to use your server to send emails. Most important setting is permit_sasl_authenticated. More options can be added as follows:

 smtpd_relay_restrictions = permit_mynetworks, 
        permit_sasl_authenticated,
        reject_unauth_destination

You can also force authentication by uncometing following option in /etc/postfix/master.cf

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

For more information visit: http://www.postfix.org/SMTPD_ACCESS_README.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s