[wplug] figuring out where mail sent from your box came from
Duncan Hutty
dhutty+wplug at ece.cmu.edu
Fri Nov 18 14:45:09 EST 2005
On 11/18/2005 11:14 AM, Bill Moran wrote:
> Russ Schneider <russ at sugapablo.com> wrote:
>>
>>As for an open relay, I thought I had prevented this with the following
>>line in the main.cf file:
>>
>>relay_domains = sugapablo.net, www.sugapablo.net, sony.sugapablo.net
>>
>>and out of these three, I didn't have any uncommented, so I'm not sure
>>what it was defaulting to:
>>
>>#mynetworks_style = class
>>#mynetworks_style = subnet
>>#mynetworks_style = host
>
>
> Host makes the most sense, and I believe it's the default.
>
> However, none of these will be used unless your restrictions are set up
> to use them. What do config options of the form *_restrictions = say
> in your configuration.
mynetworks = 127.0.0.0/8, 192.168.0.0/16
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
are the two settings that I usually use.
From the docs (http://www.postfix.org/postconf.5.html):
mynetworks 'The list of "trusted" SMTP clients that have more privileges
than "strangers". In particular, "trusted" SMTP clients are allowed to
relay mail through Postfix.'
mynetworks overrules a mynetworks_style parameter so you don't have to
worry about it. Instead, you're explicitly stating for which networks
postfix will relay mail, in this case localhost (127.) and the entire
(private) /16, 192.168. which is useful for a typical, NAT'ed behind a
router local network where the router forwards port 25 connections from
the internet to the mail server.
If the mail server itself is on a public IP address and hidden on a
private network, you will want to include instead the (apparent) IP
address(es) for any of your own machines that generate outgoing mail
that you want to send through this mail server.
Between these 2 lines, I have told postfix to deliver mail that is
either a) generated "locally" (ie as defined by mynetworks or b)
destined "locally" (ie as defined by "match $inet_interfaces or
$proxy_interfaces, $mydestination, $virtual_alias_domains, or
$virtual_mailbox_domains.") relay_domains will allow you to accept and
deliver mail for certain other remote domains.
Once you get the hand of this, and you've done it a few times, it seems
a lot easier - at least until you need a complex setup.
>
> It's fairly easy to accidentally set up your restrictions so it doesn't
> do what you think. Once you've got it set up, you should always use
> some sort of external test to ensure that it's actually working as you
> want.
>
Here's an automatic tester: http://www.abuse.net/relay.html
> You'll need to check the logs to ensure that there aren't any web forms
> being abused. It's fairly easy to misprogram a web form and allow people
> to relay mail via your web server.
>
--
Duncan Hutty
System Administrator, ECE
Carnegie Mellon University
Please use informative subject lines
More information about the wplug
mailing list