DevHeads.net

Forcing local users to use submission for all outbound email

Hi there!

I've been reading the documentacion as well as googling around but I've
been unable to figure this out:

I have several hosting servers. I'd like all web sites hosted in those
servers not to be able to send outbound mail without authenticating first.
Same thing for shell users. What I'm really trying to achieve is that
everybody (local accounts and php scripts running under www-data) will be
forced to use the submission service (smtp-auth, tls activated) for all
outbound emails, keeping non-authenticated connections just for internal
emails (usually from services to the system administrator)

Any guru willing to point me into the right direction? TIA!!

Ignacio

Comments

Re: Forcing local users to use submission for all outbound email

By Noel Jones at 10/08/2018 - 09:50

On 10/8/2018 6:17 AM, Ignacio Garcia wrote:
<a href="http://www.postfix.org/postconf.5.html#authorized_submit_users" title="http://www.postfix.org/postconf.5.html#authorized_submit_users">http://www.postfix.org/postconf.5.html#authorized_submit_users</a>

Probably something like

# main.cf
authorized_submit_users = root, cron
(add any other service owners that need to send mail)

and also remove "permit_mynetworks" from
smtpd_recipient_restrictions and from smtpd_relay_restrictions.

-- Noel Jones

Re: Forcing local users to use submission for all outbound email

By Ignacio Garcia at 10/08/2018 - 10:23

El lun., 8 oct. 2018 a las 16:51, Noel Jones (< ... at megan dot vbhcs.org>)
escribió:

Noel, thank you so much. You saved my day! This is more restrictive than I
wanted but it'll do. Initial testings show it works ok. Now I have to find
out all service accounts that send email periodically

For those of you who might be running ispconfig and want to restrict the
use of sendmail to created email accounts in ispconfig and service users
only:

authorized_submit_users = root, cron, serviceuser1, serviceuser2, ... ,
proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf

Again, thanks so much

Ignacio

Re: Forcing local users to use submission for all outbound email

By Christos Chatzaras at 10/08/2018 - 10:58

Κeep in mind that depending on your setup using authorized_submit_users maybe doesn't allow to send system messages, for example if you use "quota warning" with dovecot.

If you only do PHP hosting try to disable mail() from php.ini and use a firewall to not allow direct outgoing connections to port 25 for users but only for root, postfix, and maybe some other system accounts.

This will take care most of spam sent from hacked hosting accounts.

Re: Forcing local users to use submission for all outbound email

By Ignacio Garcia at 10/08/2018 - 12:08

El lun., 8 oct. 2018 a las 17:58, Christos Chatzaras (< ... at cretaforce dot gr>)
escribió:

Hmm, you're right. However, some of my servers host many shell accounts,
and for us it's more convenient to whitelist all system users rather than
blacklisting all shell users one after another. Nevertheless this is
something I still have to investigate and test in more depth. Thanks so
much for your feedback

Best regards,

Ignacio