I want to configure postfix with inbound authentication.
For example, if this is my list of clients:
user | password
alice#alice.com 1234
bob#bob.com 5678
I want to serve only them and accept connections only from them.
The use-case is: Alice wants to send a mail to someone#gmail.com and pass through my MTA.
Alice opens a connection to my postfix (MAIL FROM: alice#alice.com, RCPT TO: someone#gmail.com),
and somewhere in the middle I want Alice to identify with her password 1234.
How can I force it using postfix configurations?
You need to define smtpd_recipient_restrictions
master.cf:
smtpd pass - - - - - smtpd
-o smtpd_recipient_restrictions=auth
main.cf
smtpd_restriction_classes = auth
auth = permit_sasl_authenticated,reject
These snippets are just very basic examples. Please read the Postfix Documentation to get an idea how the authentication works.
Related
I have postfix and opendkim working on my server(Ubuntu 16.04), but postfix do not sign all mails with dkim.
If I send a mail from server with:
echo "test email" | sendmail check-auth#verifier.port25.com
I have a response that says DKIM check: pass because the mail has DKIM-Signature. I was trying send mails to my gmail account by this method and the mails has a DKIM-Signature too.
But when I try to send mails using Thunderbird or something similar the mails has no DKIM-Signature.
The server only has one domain and the next configurations:
/etc/postfix/main.cf:
[...]
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
/etc/opendkim.conf:
[...]
SOCKET inet:8891#localhost
UserID opendkim
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
/etc/opendkim/key.table:
example.com example.com:default:/etc/dkimkeys/dkim.key
/etc/opendkim/signing.table:
*#example.com example.com
I was looking on mail.log, mail.err and syslog but I don't see anything related, neither errors.
I'm checking different configurations, I can send DKIM-signed mails form server with sendmail using different configurations but I still can't send mails signed with DKIM with Thunderbird... :(
Any Idea? Any place to look?
Ok, I found the problem.
In some sites they say that its necesary put the next line in /etc/postfix/master.cf for avoid problems:
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
But its wrong, that line makes the mails didn't signed.
In /etc/postfix/master.cf we can uncomment the next line to get working the port 587:
submission inet n - y - - smtpd
We are running sendmail-8.13.4 on AIX.
I need to update the configuration and make sendmail act as a relay client only, meaning it will only be used to send mail out of the host and NOT accept mail.
Here is my client.mc config:
include(`/usr/samples/tcpip/sendmail/m4/cf.m4')
VERSIONID(`sendmail config for aix7')
OSTYPE(`aixsample')dnl
MASQUERADE_AS(`myserver.com')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`accept_unresolvable_domains')
FEATURE(`accept_unqualified_senders')
FEATURE(always_add_domain)dnl
FEATURE(`nullclient',`mail-relay.xxxx.myserver.com')dnl
define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`MAIL_HUB', `myserver.com.')dnl
define(`LOCAL_RELAY', `myserver.com.')dnl
We have an MS Exchange server, so we are basically using sendmail on a particular AIX host to forward all email to the exchange server and let Exchange handle everything.
The above configuration works fine for sending email to recipients
mail user#myserver.com
What I also need to do is be able to send the email with only specifying the alias part and not the domain, so if I do:
mail user (omitting the #myserver.com recipient domain part)
I want sendmail to append the #myserver.com in this situation where a domain is not given. Is this possible without maintaining some sort of alias/list file for every possible userid > userid#mydomain.com?
Thanks.
You can use approach mentioned in sendmail FAQ 4.22 - make sendmail accept smtp connections only on (local) loopback ip interface.
Sendmail FAQ 4.22 : Why can't I receive external mail?
It may be achieved by the following lines in sendmail.mc file used to generated sendmail.cf file:
dnl Do no listen on msa(587) port
FEATURE(`no_default_msa')dnl
dnl Listen on IPv6 loopback address
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
dnl Listen on IPv4 loopback address
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
My postfix server is working on a particular domain name through a relay, so it's like that:
Client send to abs#subdomain.domain.com -> domain.com production mail server -> internal mail server on subdomain.
All messages for subdomain.domain.com are being forwarded. But the thing is, the application that I'm supporting uses mailing system for some internal stuff and many addresses that are being CC when client is sending e-mail doesn't exist on subdomain mail server, they serve another purpose. When app on subdomain receives e-mail, it parses headers and uses all CC addresses in it's algorithms.
Here comes the problem. When client sends an e-mail, he'll receive as many error responses as there are fake addresses in CC.
There is only one real address that is listed in /etc/aliases and it's just piping incoming mails to stdin for some script.
Question. How do I prevent sending error responces to the client and just /dev/null all fake addresses? I need only 1 address, that is listed in aliases.
Thanks in advance.
Ok, I figured it out.
This can be achieved through virtual_alias_maps.
Add an virtual alias for domain and for address. Redirect domain to /dev/null and address to local alias.
virtual_alias_maps file:
target_addr#subdomain target#localhost
#subdomain devnull#localhost
/etc/aliases:
target: "| /path/to/script"
devnull: /dev/null
I just purchased a domain name few weeks ago,
and then i registered my domain into Windows Live Admin ( domain.live.com )
because from that Windows Live, I could manage
several email accounts. And I did. now every time I
want to write email / receive email i just go to mail.live.com
and login depend on the email accounts I just made there.
Then I tried to install Opera Mail, or even Thunderbird
in my Computer (laptop).
There are several configuration I confused.
What should I type into the incoming and outcoming server ? Imap / Pop? Which port?
I dunno....
Confused.
Because WHen I try to use thee details:
IMAP Server: as imap.charter.net SMPT Server: as smpt.charter.net
It doesnt work.
Then I tried to use
mail.mydomain.com
for both incoming & outgoing server.
And it is also doesnt work.
ANy ideas?
You have to use the outlook.com server, not your own domain:
Incoming mail server - imap-mail.outlook.com
Incoming mail server port - 993 (SSL)
Outgoing (SMTP) mail server - smtp-mail.outlook.com
Outgoing (SMTP) mail server port - 587 (SSL/TLS)
Outgoing server (SMTP) authentication - same settings as your incoming mail server
I'm trying to work out how to have postfix only allow emails through to certain email addresses.
I had it working using the following config:
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access, reject
and then access contains
example1.com OK
example2.com OK
miles#example3.com OK
This worked - mail to anything that wasn't in the whitelist was rejected by the mailserver.
I then wanted to route all my outgoing mail via gmail, so added
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
It now seems that postfix is ignoring the whitelist, and sending everything through to the gmail servers.
Can anyone explain why this is happening, and what I might need to do to resolve this?
In short - I'd like all my mail sent via a gmail account, but only if the recipient address is in a whitelist.
Show some logs please.
I suspect that you are sending emails via /usr/bin/sendmail or postdrop. Both these commands bypass the smtpd and so the smtpd_recipient_restrictions, as they delivery the locally to the postfix, not via network.
If the sent email arrived via network (and so via smtpd) then show the config too (postconf -n) as you may have other configs that are changing the final result for those emails.