SMTP Authentication for Local Domain in Postfix

Shahab_Vahabzadeh · August 15, 2013, 10:45am

Dear friends,
I have problem with my postfix configuration, I have enable SASL for
postfix and now authentication works well for my clients but right now
anyboy can send email from my local domain to local domain without
authentication and cause of that I have lots of attacks.
How can I force that if sender is my localdomain it must authenticate?!
Here is my postfix configuration:

main.cf:

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_rbl_client zen.spamhaus.org,
smtpd_helo_restrictions =
    permit_mynetworks,
    #reject_non_fqdn_hostname,
    reject_invalid_hostname
smtpd_sender_restriction =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_sender_access hash:/etc/postfix/access_table
    reject_unknown_sender_domain,
    reject_non_fqdn_sender
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unverified_recipient,
    reject_unauth_destination,
    check_policy_service unix:private/policy-spf,
    permit

master.cf:

smtp inet n - - - - smtpd

  -o content_filter=spamassassin
submission inet n - - - - smtpd
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o content_filter=spamassassin
smtps inet n - - - - smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
spamassassin
          unix - n n - - pipe
   user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender}
${recipient}
policy-spf unix - n n - - spawn
    user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl

access_table:

mydomain.com REJECT You're not me!

Thanks

Daniel_W_Crompton · August 15, 2013, 12:46pm

Hi Shahab,

Your mistake is highlighted below, the order of *smtpd_sender_restriction* is
such that you are permitting local delivery to your network before sasl
authentication. In my config I removed it and only have it in *
smtpd_recipient_restrictions* and then only after sasl authentication has
been confirmed.

D.