Thanks in advance! (Redhat Enterprise 5.1, new installation.)

I am seeking the full sequence of edits to main.cf and/or other files to disable the relay of all mail through my postfix installation. Please consider me a rank novice in need of all the details, except that I have no trouble editing files in emacs or vi.

I am also seeking pointers to software that will allow me to test for security holes in the mail service, specifically spam forwarding.

I work in an environment that is generally hostile to unix, but I prefer to work under unix as long as possible. Understandably our systems people are VERY concerned that spam will be routed through my box. I am faced with either shutting down mail service and losing all the mail from around the world to email addresses I have used for ten years+, or getting the security problems solved.

I want to get simple mail to and from the outside world and my local box for a small set of local users. Every other feature should be disabled.

Unfortunately, it seems I may not have been able to stop the routing of email to the local subnet, and I am not even certain if this is what I want to do, or all that I need to do.

Postfix was installed FOR me (I believe "straight out of the box"), and I have only used sendmail before. Now after it was installed, I am getting complaints that...

"Your server is mis-configured to allow anyone from within [our subnet] to use you as an open relay and freely send e-mail messages (the number one reason we do not allow users to run their own mail server). Please close this and allow only the localhost to do so as this can greatly facilitate spamming and other security issues."



Among other things, here is what I have attempted...

In main.cf I have set the following, then reloaded postfix, and also stopped/started postfix:

mynetworks_style = host

The change seems to have taken hold:

> /usr/sbin/postconf | grep style
/usr/sbin/postconf | grep style
mynetworks_style = host
>

I am not whether this is what I am after, however.

Any step-by-step tips to locking down this mail service will be most appreciated!

-MS



Notes:

Here are other settings that might be relevant:

inet_interfaces = all
proxy_interfaces =
mydestination = $myhostname, localhost.$mydomain, localhost
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = $virtual_maps
(No listing for virtual_maps)
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_maps =

Hi,

I've just gone through this process on my own Postfix server and locked it down (hopefully) to require TLS or SSL (depending on the email client) for sending and receiving emails. I'm using Dovecot IMAP server (IMAPS only) so maybe some of my settings aren't what you need (Dovecot is the default for RHEL 5.1 so it should be OK).

Anyway, here's what I did.

Generate a certificate (if you don't already have one) for Dovecot and Postfix to share. Go to /etc/pki/tls/certs and run "make" to create your certificate. Visit http://wiki.dovecot.org/SSL to learn how to create your own cerificate.

Changes to main.cf:-You'll see here changes to smtpd_client_restrictions which permit local and sasl authenticated users, and reject spam using several dsbl servers. Using saslauthd for authentication requires you to create the sasl user database and contents using "saslpasswd2". Other readers may have better alternatives to this.

Commands to start saslauthd and make sure it starts at boot time are:-Changes to master.cf (added after the existing smtp line):-This opens port 465 for Outlook & Outlook Express users to use, because these email clients prefer wrapped SSL rather than TLS. It also removes the noplaintext limitation imposed on port 25 in main.cf.

I hope I've not left anything out, but I can confirm that my server is working well using secure connections. I've tested it using Outlook, Outlook Express and Thunderbird email clients (Win & Linux). Outlook needs to use port 465 for sending emails, because it refused to play by the "noplaintext" rules I set for port 25. This was the whole reason for the changes to master.cf and running smtps without the noplaintext setting. Thunderbird seems happy to use either port.

The key setting for you is "mynetworks". Out of the box, postfix should only allow clients on these IPs to relay through it. You probably have it set to relay from any machine on the subnets that your NIC(s) is/are on.

That certainly fits with the quote you posted (although that's hardly an open relay - at least you know who's sending internal "spam").

See http://www.postfix.org/postconf.5.html#mynetworks

To restrict to local machine only

mynetworks = 127.0.0.0/8

Thanks very much to blacky5251 and billmayday.

The "mynetworks" fix seems to have made the network security people happy, although I still do not have the test they run in hand. For some reason I seem to have had the syntax wrong before in copying the main.cf commented-out example with two ip addresses. Note that on my system, the "mynetworks_style = host" ultimately seems to be producing at least similar results, now, as well.

So, excellent!

The TLS/SSL example is something that I will play with at my own pace now that basic mail service is established, and I very much look forward to "getting" it fully because this will have other benefits as well.

Please accept my gratitude for getting me safely back in contact with the world.

-MS

Note: in case anyone has two-cents' worth to add, given the hyper-sensitivity about security and spam in our current environment, I wonder what the merit is of having relay enabled by default? I am not clear on why my mail program should take on the responsibility of relaying mail?

Postfix isn't an open relay by default - typically it will only allow relaying from your subnet. Since this would typically be a private address, and you firewall should stop any traffic from the big bad world perporting to have a private class address, the only relaying should be by internal machines. If they are sending spam, you've got a bigger problem than your postfix server.

That's my 1c

Edit

I note that the default for mynetwork_style is subnet, so even if you had a public IP, only 253 other machines could spam through you.

I believe that the local subnet is what they were complaining about. But, I know, for example, that at least one of the unix machines has about 19,000 users, so unless I am missing something, I can see that subnet spam is still a problem.

Thanks again!