[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: trying to restrict postfix use of port

Adam Hardy put forth on 1/24/2010 7:15 PM:
> Adam Hardy on 21/01/10 17:36, wrote:
>> Camaleón on 21/01/10 16:27, wrote:
>>>>>> The point is that I don't want to have port 25 open to the world,
>>>>>> since I don't want to receive any emails on this system, I just want
>>>>>> to send.
>>> [snipped]
>>> That is the standard setup for Postfix. But that does not mean your
>>> host is an acting as an "open relay". Anyway, you can also tweak that
>>> behaviour.
>>>> All I'm saying is that I don't need this, and I'd like to find a way to
>>>> shut it down whilst leaving the outbound mail delivery intact.
>>>
>>> mynetworks_style = host
>>>
>>> or
>>> mynetworks = 127.0.0.0/8
>>
>> I am using mynetworks_style already but it doesn't stop SMTP listening
>> on port 25.
>>
>> I guess this is just a relatively new situation coming with the advent
>> of vservers that just isn't possible.
>>
>> I have set smtp_client_restrictions = reject so at least postfix
>> responds to external SMTP requests with an aggressive sounding "Client
>> host rejected: access denied" message.
> 
> One small problem having postfix listen unnecessarily to the whole world
> is that syslog logs all spam merchants attempts to abuse my postfix as
> an open relay. I guess I can ignore them but I wish I didn't even get them.

Sorry I missed this thread earlier.  Open /etc/postfix/master.cf and comment out
the following line with a leading #:

smtp      inet  n       -       -       -       -       smtpd

Save the file, then execute /etc/init.d/postfix restart

You are now no longer listening for smtp connections on TCP 25, but can still
send mail generated on the local machine out through the Postfix smtp client
using the Postfix sendmail command.

If you need to be able to relay email from internal clients outbound to the net,
uncomment the following line in /etc/postfix/master.cf to enable the secure
smtpd submission listener on TCP 587:

#587      inet  n       -       n       -       -       smtpd -o
smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

Again, execute /etc/init.d/postfix restart to enable the listener daemon.
Configure the client MUA as you would a home PC with ISP mail.  Tell it to
submit to TCP 587 on the server's IP address, enter a proper local username and
password.  Your Postfix should now be relaying submission mail outbound to the
world whilst not listening on the standard smtp port, TCP 25.

Let me know if you need further assistance.

-- 
Stan
Reply to: