Forcing local users to use submission for all outbound email

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Forcing local users to use submission for all outbound email

Ignacio Garcia
Hi there!

I've been reading the documentacion as well as googling around but I've been unable to figure this out:

I have several hosting servers. I'd like all web sites hosted in those servers not to be able to send outbound mail without authenticating first. Same thing for shell users.  What I'm really trying to achieve is that everybody (local accounts and php scripts running under www-data) will be forced to use the submission service (smtp-auth, tls activated) for all outbound emails, keeping non-authenticated connections just for internal emails (usually from services to the system administrator)

Any guru willing to point me into the right direction? TIA!!

Ignacio
Reply | Threaded
Open this post in threaded view
|

Re: Forcing local users to use submission for all outbound email

Noel Jones-2
On 10/8/2018 6:17 AM, Ignacio Garcia wrote:

> Hi there!
>
> I've been reading the documentacion as well as googling around but
> I've been unable to figure this out:
>
> I have several hosting servers. I'd like all web sites hosted in
> those servers not to be able to send outbound mail without
> authenticating first. Same thing for shell users.  What I'm really
> trying to achieve is that everybody (local accounts and php scripts
> running under www-data) will be forced to use the submission service
> (smtp-auth, tls activated) for all outbound emails, keeping
> non-authenticated connections just for internal emails (usually from
> services to the system administrator)
>
> Any guru willing to point me into the right direction? TIA!!
>
> Ignacio

http://www.postfix.org/postconf.5.html#authorized_submit_users

Probably something like

# main.cf
authorized_submit_users = root, cron
(add any other service owners that need to send mail)

and also remove "permit_mynetworks" from
smtpd_recipient_restrictions and from smtpd_relay_restrictions.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Forcing local users to use submission for all outbound email

Ignacio Garcia
El lun., 8 oct. 2018 a las 16:51, Noel Jones (<[hidden email]>) escribió:
On 10/8/2018 6:17 AM, Ignacio Garcia wrote:
> Hi there!
>
> I've been reading the documentacion as well as googling around but
> I've been unable to figure this out:
>
> I have several hosting servers. I'd like all web sites hosted in
> those servers not to be able to send outbound mail without
> authenticating first. Same thing for shell users.  What I'm really
> trying to achieve is that everybody (local accounts and php scripts
> running under www-data) will be forced to use the submission service
> (smtp-auth, tls activated) for all outbound emails, keeping
> non-authenticated connections just for internal emails (usually from
> services to the system administrator)
>
> Any guru willing to point me into the right direction? TIA!!
>
> Ignacio

http://www.postfix.org/postconf.5.html#authorized_submit_users

Probably something like

# main.cf
authorized_submit_users = root, cron
(add any other service owners that need to send mail)

and also remove "permit_mynetworks" from
smtpd_recipient_restrictions and from smtpd_relay_restrictions.




  -- Noel Jones

Noel, thank you so much. You saved my day! This is more restrictive than I wanted but it'll do. Initial testings show it works ok. Now I have to find out all service accounts that send email periodically

For those of you who might be running ispconfig and want to restrict the use of sendmail to created email accounts in ispconfig and service users only:

authorized_submit_users = root, cron, serviceuser1, serviceuser2, ... , proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf

Again, thanks so much

Ignacio
Reply | Threaded
Open this post in threaded view
|

Re: Forcing local users to use submission for all outbound email

Christos Chatzaras

On 8 Oct 2018, at 18:23, Ignacio Garcia <[hidden email]> wrote:

El lun., 8 oct. 2018 a las 16:51, Noel Jones (<[hidden email]>) escribió:
On 10/8/2018 6:17 AM, Ignacio Garcia wrote:
> Hi there!
>
> I've been reading the documentacion as well as googling around but
> I've been unable to figure this out:
>
> I have several hosting servers. I'd like all web sites hosted in
> those servers not to be able to send outbound mail without
> authenticating first. Same thing for shell users.  What I'm really
> trying to achieve is that everybody (local accounts and php scripts
> running under www-data) will be forced to use the submission service
> (smtp-auth, tls activated) for all outbound emails, keeping
> non-authenticated connections just for internal emails (usually from
> services to the system administrator)
>
> Any guru willing to point me into the right direction? TIA!!
>
> Ignacio

http://www.postfix.org/postconf.5.html#authorized_submit_users

Probably something like

# main.cf
authorized_submit_users = root, cron
(add any other service owners that need to send mail)

and also remove "permit_mynetworks" from
smtpd_recipient_restrictions and from smtpd_relay_restrictions.




  -- Noel Jones

Noel, thank you so much. You saved my day! This is more restrictive than I wanted but it'll do. Initial testings show it works ok. Now I have to find out all service accounts that send email periodically

For those of you who might be running ispconfig and want to restrict the use of sendmail to created email accounts in ispconfig and service users only:

authorized_submit_users = root, cron, serviceuser1, serviceuser2, ... , proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf

Again, thanks so much

Ignacio


Κeep in mind that depending on your setup using authorized_submit_users maybe doesn't allow to send system messages, for example if you use "quota warning" with dovecot.

If you only do PHP hosting try to disable mail() from php.ini and use a firewall to not allow direct outgoing connections to port 25 for users but only for root, postfix, and maybe some other system accounts.

This will take care most of spam sent from hacked hosting accounts.
Reply | Threaded
Open this post in threaded view
|

Re: Forcing local users to use submission for all outbound email

Ignacio Garcia


El lun., 8 oct. 2018 a las 17:58, Christos Chatzaras (<[hidden email]>) escribió:


Κeep in mind that depending on your setup using authorized_submit_users maybe doesn't allow to send system messages, for example if you use "quota warning" with dovecot.

If you only do PHP hosting try to disable mail() from php.ini and use a firewall to not allow direct outgoing connections to port 25 for users but only for root, postfix, and maybe some other system accounts.

This will take care most of spam sent from hacked hosting accounts.

Hmm, you're right. However, some of my servers host many shell accounts, and for us it's more convenient to whitelist all system users rather than blacklisting all shell users one after another. Nevertheless this is something I still have to investigate and test in more depth. Thanks so much for your feedback

Best regards,

Ignacio