postfix : how to prevent open relay?

Ananda Raj Pandey

Postfix by default installation allows emails can be sent without authentication. So anyone can send email with any email address using postfix server with default settings. This will allow spammers to use your servers to send emails and even malware /virus. Receiver will see your server as the MTA and will result ip in spam list.

There are three main curtial settings in /etc/postfix/main.cf:

smtpd_sender_restrictions: Restrict sender for sending email only if given criteria matched. Best two options are reject_unknown_sender_domain and permit_sasl_autheticated. Which only allows domains in your servers are allowed to send emails and authentication is required to send email. You can also add more options as below:

smtpd_sender_restrictions =
        reject_sender_login_mismatch,
        reject_non_fqdn_sender,
        reject_unlisted_sender,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unknown_sender_domain,
    reject_unauth_pipelining

smtpd_recipient_restrictions: This options allow to filter incoming emails based on criteria which will help to minimize spam emails: Some of the important options are: reject_non_fqdn_recipient, reject_unlisted_reciepient, permit_sasl_authenticated and reject_invalid_hostname. More options can be added as follows.

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unlisted_recipient
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_relay_restrictions: Prevent others to use your server to send emails. Most important setting is permit_sasl_authenticated. More options can be added as follows: 

 smtpd_relay_restrictions = permit_mynetworks, 
        permit_sasl_authenticated,
        reject_unauth_destination

You can also force authentication by uncometing following option in /etc/postfix/master.cf

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

For more information visit: http://www.postfix.org/SMTPD_ACCESS_README.html

Leave a comment