kvaps
commented
8 years ago Hi, thanks for issue,
I will fix this in the next v16 release.
I am currently work on it, please understand and wait some more.
Open danbo opened 8 years ago
kvaps
commented
8 years ago Hi, thanks for issue,
I will fix this in the next v16 release.
I am currently work on it, please understand and wait some more.
danbo
commented
7 years ago I finally got to the bottom of my
milter service: inet:localhost:8891 issues which were specific to a change I made that was NOT related to this issue.
I gave this image a test drive in the wild and I can see that it's accepting relaying to other domains. My theory, based on the postfix config file is that this is due to any emails that pass the spam filter because it is then local host that sends it from there and anything is accepted from localhost.
I think, in main.cf, the restrictions need to be modified to put permit_mynetworks below reject_unauth_destination for smtpd_recipient_restrictions and to be safe, probably also add smtpd_relay_restrictions with the same.
This should ensure that before trusting localhost to do anything, it must be a valid destination, ie the domain(s) Kolab is set up to use.
After making this change, I can see a lot of relay reject messages instead of sent (as expected) for domains that don't match my Kolab domain.
I do however now also see a lot of
connect to milter service: inet:localhost:8891:connection refused and am not sure if it is a result of this policy change and not sure how to confirm it without reverting postfix to a semi-open relay.
Here are my restrictions for reference, maybe you can validate?
main.cf
submission_sender_restrictions = reject_non_fqdn_sender, check_policy_service unix:private/submission_policy, permit_sasl_authenticated, reject
submission_recipient_restrictions = check_policy_service unix:private/submission_policy, permit_sasl_authenticated, reject
submission_data_restrictions = check_policy_service unix:private/submission_policy
smtpd_recipient_restrictions = reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, reject_invalid_helo_hostname, reject_unknown_recipient_domain, check_policy_service unix:private/recipient_policy_incoming, permit_mynetworks, reject
smtpd_sender_restrictions = permit_mynetworks, check_policy_service unix:private/sender_policy_incoming
smtpd_relay_restrictions = reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated (#) defer_unauth_destination