How to: POSTFIX disable relay / forwarding (mail security) redhat 5.1
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to: POSTFIX disable relay / forwarding (mail security) redhat 5.1
Thanks in advance! (Redhat Enterprise 5.1, new installation.)
I am seeking the full sequence of edits to main.cf and/or other files to disable the relay of all mail through my postfix installation. Please consider me a rank novice in need of all the details, except that I have no trouble editing files in emacs or vi.
I am also seeking pointers to software that will allow me to test for security holes in the mail service, specifically spam forwarding.
I work in an environment that is generally hostile to unix, but I prefer to work under unix as long as possible. Understandably our systems people are VERY concerned that spam will be routed through my box. I am faced with either shutting down mail service and losing all the mail from around the world to email addresses I have used for ten years+, or getting the security problems solved.
I want to get simple mail to and from the outside world and my local box for a small set of local users. Every other feature should be disabled.
Unfortunately, it seems I may not have been able to stop the routing of email to the local subnet, and I am not even certain if this is what I want to do, or all that I need to do.
Postfix was installed FOR me (I believe "straight out of the box"), and I have only used sendmail before. Now after it was installed, I am getting complaints that...
"Your server is mis-configured to allow anyone from within [our subnet] to use you as an open relay and freely send e-mail messages (the number one reason we do not allow users to run their own mail server). Please close this and allow only the localhost to do so as this can greatly facilitate spamming and other security issues."
Among other things, here is what I have attempted...
In main.cf I have set the following, then reloaded postfix, and also stopped/started postfix:
I've just gone through this process on my own Postfix server and locked it down (hopefully) to require TLS or SSL (depending on the email client) for sending and receiving emails. I'm using Dovecot IMAP server (IMAPS only) so maybe some of my settings aren't what you need (Dovecot is the default for RHEL 5.1 so it should be OK).
Anyway, here's what I did.
Generate a certificate (if you don't already have one) for Dovecot and Postfix to share. Go to /etc/pki/tls/certs and run "make" to create your certificate. Visit http://wiki.dovecot.org/SSL to learn how to create your own cerificate.
You'll see here changes to smtpd_client_restrictions which permit local and sasl authenticated users, and reject spam using several dsbl servers. Using saslauthd for authentication requires you to create the sasl user database and contents using "saslpasswd2". Other readers may have better alternatives to this.
Commands to start saslauthd and make sure it starts at boot time are:-
Code:
chkconfig saslauthd on
service saslauthd start
Changes to master.cf (added after the existing smtp line):-
Code:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_security_options=noanonymous
This opens port 465 for Outlook & Outlook Express users to use, because these email clients prefer wrapped SSL rather than TLS. It also removes the noplaintext limitation imposed on port 25 in main.cf.
I hope I've not left anything out, but I can confirm that my server is working well using secure connections. I've tested it using Outlook, Outlook Express and Thunderbird email clients (Win & Linux). Outlook needs to use port 465 for sending emails, because it refused to play by the "noplaintext" rules I set for port 25. This was the whole reason for the changes to master.cf and running smtps without the noplaintext setting. Thunderbird seems happy to use either port.
The key setting for you is "mynetworks". Out of the box, postfix should only allow clients on these IPs to relay through it. You probably have it set to relay from any machine on the subnets that your NIC(s) is/are on.
That certainly fits with the quote you posted (although that's hardly an open relay - at least you know who's sending internal "spam").
The "mynetworks" fix seems to have made the network security people happy, although I still do not have the test they run in hand. For some reason I seem to have had the syntax wrong before in copying the main.cf commented-out example with two ip addresses. Note that on my system, the "mynetworks_style = host" ultimately seems to be producing at least similar results, now, as well.
So, excellent!
The TLS/SSL example is something that I will play with at my own pace now that basic mail service is established, and I very much look forward to "getting" it fully because this will have other benefits as well.
Please accept my gratitude for getting me safely back in contact with the world.
-MS
Note: in case anyone has two-cents' worth to add, given the hyper-sensitivity about security and spam in our current environment, I wonder what the merit is of having relay enabled by default? I am not clear on why my mail program should take on the responsibility of relaying mail?
Postfix isn't an open relay by default - typically it will only allow relaying from your subnet. Since this would typically be a private address, and you firewall should stop any traffic from the big bad world perporting to have a private class address, the only relaying should be by internal machines. If they are sending spam, you've got a bigger problem than your postfix server.
That's my 1c
Edit
I note that the default for mynetwork_style is subnet, so even if you had a public IP, only 253 other machines could spam through you.
Last edited by billymayday; 05-20-2008 at 10:26 PM.
I believe that the local subnet is what they were complaining about. But, I know, for example, that at least one of the unix machines has about 19,000 users, so unless I am missing something, I can see that subnet spam is still a problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.