Is there a way to make sure that you need to make outgoing (SMTP) server require authentication before sending email? So that only users on my server have access to it?
Wed, 08/01/2012 - 14:47
Here's the correct lines to have in your /etc/postfix/main.cf to limit SMTP traffic to authenticated hosts:
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
### Checks to remove badly formed email
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/var/lib/pop-before-smtp/hosts, reject_unauth_destination
The last line (smtpd_recipient_restrictions) is incomplete but I have several custom routines that I add after the reject_unauth_destination field that don't need to be shared. You can Google for a more "standard" complete listing of fields for this function.
After adding these lines and reloading postfix, go to mxtoolbox.com and have it run the mail server tests on your IP/domain. It will confirm whether you are still an open relay (you have missed something) or whether your server is secure (SMTP Auth is working).
Hope this helps.
Copyright © 2020, Easy Hosting Control Panel
Design by Zymphonies