Disable unauthenticated sending of OUTGOING email for all local users

Hello there, and thanks so much for your help


I've got a web+mail server in the same machine. PHP's mail function is
disabled, but other 3rd party functions such as PHPMailer can use
sendmail to potentially send emails, as if I was invoking it from a shell


echo hello | sendmail [hidden email]


where email.com is an outside domain


I've been all morning browsing through postfix docs and googling around
finding an answer to prevent sending unauthenticated email to OUTSIDE
DESTINATIONS ONLY and pretty much all I found is removing
'permit_mynetworks' all over main.cf . However, and since I'm not an
expert at all,  I'm still not sure that's the correct way to act. Could
anybody please confirm that, or offer a better suggestion?


Thanks so much in advance


Ignacio


This is my postconf -n output:


address_verify_negative_refresh_time = 60s
address_verify_sender_ttl = 15686s
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
compatibility_level = 2
default_extra_recipient_limit = 50
dovecot_destination_recipient_limit = 1
duplicate_filter_limit = 50
enable_original_recipient = no
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
in_flow_delay = ${stress?{3}:{1}}s
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 53687091200
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = s0.cibernetik.net, localhost, localhost.localdomain
myhostname = s0.cibernetik.net
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
non_smtpd_milters = inet:localhost:11332
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $sender_bcc_maps
$virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps
$relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps
$smtpd_client_restrictions $smtpd_sender_restrictions
$smtpd_recipient_restrictions
readme_directory = /usr/share/doc/postfix
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:localhost:10002
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps =
proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:localhost:10001
smtp_bind_address = 1.2.3.4
smtp_connect_timeout = ${stress?{10}:{30}}s
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 3s
smtp_dns_support_level = dnssec
smtp_extra_recipient_limit = 2
smtp_helo_timeout = ${stress?{10}:{60}}s
smtp_mail_timeout = ${stress?{10}:{60}}s
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 50
smtpd_client_restrictions = check_client_access
proxy:mysql:/etc/postfix/mysql-virtual_client.cf,
permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_error_sleep_time = ${stress?{1}:{2}}s
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtpd_hard_error_limit = ${stress?{1}:{10}}
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access,
permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
check_helo_access regexp:/etc/postfix/blacklist_helo,
reject_unknown_helo_hostname, permit
smtpd_milters = inet:localhost:11332
smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = ${stress?{60}:{600}}
smtpd_recipient_restrictions = check_policy_service
inet:127.0.0.1:10040, permit_mynetworks,
reject_unknown_recipient_domain, reject_unlisted_recipient,
check_recipient_access
proxy:mysql:/etc/postfix/mysql-verify_recipients.cf,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unauth_destination, check_recipient_access
proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_recipient_access
mysql:/etc/postfix/mysql-virtual_policy_greylist.cf,
check_policy_service unix:private/quota-status
smtpd_reject_footer = \c. For assistance, email postmaster from a
non-blocked server (i.e. gmail). Please provide information such as time
($localtime), client ($client_address) and server ($server_name).
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_soft_error_limit = ${stress?{2}:{5}}
smtpd_timeout = ${stress?{10}:{60}}s
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_medium_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf

On 2020-12-29 12:36 GMT, Ignacio García wrote:
> finding an answer to prevent sending unauthenticated email to OUTSIDE
> DESTINATIONS ONLY and pretty much all I found is removing

Try including permit_mynetworks in smtpd_helo_restrictions and in
smtpd_sender_restrictions, but omit permit_mynetworks from the other
smtpd_*_restrictions.

HTH,
--
Nick

Ignacio Garc?a:
> Hello there, and thanks so much for your help
>
>
> I've got a web+mail server in the same machine. PHP's mail function is
> disabled, but other 3rd party functions such as PHPMailer can use
> sendmail to potentially send emails, as if I was invoking it from a shell
>
> echo hello | sendmail [hidden email]

Unlike submission with SMTP, Postfix has no destination access
controls for email that is submitted with the Postfix sendmail
command.

However, you can disable Postfix sendmail submission from web
applications. There is a documented example:

http://www.postfix.org/postconf.5.html#authorized_submit_users

        Wietse

El 29/12/20 a las 16:30, Wietse Venema escribió:

Thanks Wietse. authorized_submit_users along with a script to generate a
file did the trick.


Cheers,


Ignacio

Ignacio Garc?a:
> Hi Wietse and thanks for your reply
>
>
> Since I just want to block all users with a web site, and my all web
> users are web*1*, web*2 *... web*/n/* Can I use a wildcard such as this
> for the (non-)authorized users?

Use regexp: or pcre:.

http://www.postfix.org/postconf.5.html#authorized_submit_users

    Specify a list of user names, "/file/name" or "type:table"
    patterns, separated by commas and/or whitespace. The list is
    matched left to right, and the search stops on the first match.
    A "/file/name" pattern is replaced by its contents; a "type:table"
    lookup table is matched when a name matches a lookup key (the
    lookup result is ignored).

Example:
/etc/postfix/main.cf:
    authorized_submit_users = !pcre:/etc/postfix/authorized-users, ...

/etc/postfix/authorized-users:
  # See postconf.5.html#authorized_submit_users
  # A "type:table" lookup table is matched when a name matches a
  # lookup key (the lookup result is ignored).
  /^web.+/ whatever

        Wietse