Postfix configuration and spam relaying

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi, I am using Postfix on Ubuntu Linux. I have tried without success to set  
up postfix not to allow relaying of spam; however I had to use the "sudo  
postfix stop" command as relaying was once again taking place, and then  
clear the spool.

I have tried authenticating users; it works well enough in my own network  
but I cannot send or receive from outside addresses unless I set  
mynetworks= which of course includes all possible IPv4 addresses.  
This allows the server to work just fine for authorised users, but of course  
it also works for anyone else. Hence the relaying issue.

My network uses private addresses (192.168.0.X), so I should be setting  
to I know.
The network uses a NAT router (public addresses are dynamically assigned  
unfortunately) with port 25 forwarded for SMTP.

Dovecot is used for POP3 and IMAP delivery; these ports are forwarded for  
mobile connections from external addresses.

Can anyone give me some guidance as to how best I can configure postfix to  
avoid relaying spam for miscreants? I have administered other servers before  
but this is my first time managing mail servers.

My configuration file is below (with actual hostname changed).

Many thanks in advance, David


# See /usr/share/postfix/ for a commented, more complete version

home_mailbox = Maildir/

# Debian specific:  Specifying a file name will cause the first # line of  
that file to be used as the name.  The Debian default # is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings  
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
#smtpd_tls_session_cache_database = btree:$/smtpd_scache
#smtp_tls_session_cache_database = btree:$/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for #  
information on enabling SSL in the smtp client.

myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =,,,  
localhost #relayhost = #Temporary fix until I get  
authentication sorted out. Not secure.
mynetworks = [::ffff:]/104 [::1]/128  
mailbox_command = #Max size supported by
message_size_limit = 20971520
mailbox_size_limit = 1024000000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
smtpd_sas1_local_domain =,  
smtpd_sas1_auth_enable = yes smtpd_sas1_security_options = noanomymous  
broken_sas1_auth_clients = yes smtpd_helo_required = yes smtpd_delay_reject  
= no disable_vrfy_command = yes

#Pass realm (ready for sasldb use).

smtpd_sas1_local_domain = $

#The following line is testing use of RBL block lists. Hopefully to make  
spam relaying more difficult. 16/10/2013.

smtpd_helo_restrictions = reject_invalid_hostname, reject_rbl_client, reject_rbl_client,  permit_mynetworks,  
reject_unknown_hostname, reject_non_fqdn_hostname

#! /bin/sh
smtpd_recipient_restrictions = reject_invalid_hostname,  
reject_unknown_recipient_domain, permit_mynetworks, reject_non_fqdn_sender,  
reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client, reject_rbl_client, permit

#Block harmful message attatchments.
#mime_header_checks = regexp:/etc/postfix/mime_header_checks

#Block known bad IP addresses.
route = add -host reject
route = add -host reject

#Configuration to use

relayhost = []
smtp_fallback_relay = [] smtp_sasl_auth_enable = yes  
smtp_sasl_password_maps = hash:/etc/postfix/relay_password  
smtp_sasl_security_options =

Re: Postfix configuration and spam relaying

Quoted text here. Click to load it

That is of course a silly thing to do.

You do not need that to recieve from outside. And why do you want to
"send" from outside? If you want to send from that machine, use ssh to
log onto that machine.  

And where are pop3 and imap coming in to the equation? I thought your
system was supposed to be the mail host, not someone else?
What do you want from your machine?

Quoted text here. Click to load it

Which means that as far as the outside world is concerned you r address
is that of your NAT router, NOT 192.168.0.X

Quoted text here. Click to load it

Re: Postfix configuration and spam relaying

Quoted text here. Click to load it

Trouble is the public address is dynamic. It is a mail host for the local
network - want mobile users to be able to fetch mail from outside the
network as well as inside.  

Site Timeline