Synology Inc. Online Community Forum

[vaya_putada]

Hi,

Today I tried to set up Mail Station. I'm doing some test but I can't avoid this behaviour. I have an Open Relay and everyone can send every mail from my box.

What's the procedure for avoid this??

If I telnet to the 25 port I can send a mail with any user/domain, examples:

mail from:iso@prueba.es
250 2.1.0 Ok

mail from:loquequiera@loquequiera.es
250 2.1.0 Ok

Can I set a SPF check or similar on my Mail Station???

Another issue is that I can check my internal users vía SMTP. If I use a non existant user I have a 550 error, but if the user exists I have a 250 - OK. Is possible to avoid this and return the same code for all users/querys??? If not, this is a very un-secure application for use on Internet.

Thanks!

[svar]

In Mail Station settings, have you checked on the "SMTP Authorization is required" button?

[vaya_putada]

yes, is checked, but I'm trying to telnet the box to the 25 port and I can send mails from anybody to any account. No restrictions...

Is it because I'm in a LAN environment and I am in the "my_networks" of the postfix?

I don't want to "open" this to the Internet and be a spam source...

Regards!

[vaya_putada]

ok, I was doing some modifications on the main.cf file and now I don't be an OpenRelay. If you try to send a mail to any domain with my box, you will get a error message.

I must learn much about postfix before publish this on Internet.

I don't know how synology set's this package with any security and give it to the users. Many people will convert their boxes in Openrelays without the knowledge of this behaviour.

Regards!

[svar]

Im not an expert here and I hope someone else comes along and answer here too, but I kinda don't get it.
You say you can send emails to any domain then you're logged on the SMTP server on you're Synology?

Isn't that the point?

The SMTP authorization does so people that don't have an username/password to you're SMTP can't use it to sent mail with from the outside (aka internet), but the people that have can use the server to send mail to any domain.

And, then you telnet inside, its like you're on the server, and once you're inside you can send to anyone.
An good idea wil be to not allow telnet from the internet, I find that as an security hole.

If you need for some reason to be able to telnet thn you're outside, make an VPN tunnel first.

[vaya_putada]

Hi svar,

You can telnet every SMTP server on the internet if you do a telnet to the 25 port.

The SMTP protocol works by sending commands from one server to another, commands like "mail from:" "rcpt to:", etc. You must open your 25 port to the internet if you want to send and receive anything...

Now, I have my server better configured, buy if I try my domain in chekor.com, I get this error:



Anyone knows what's the procedure for deny mails from mydomain coming from the Internet¿?

I set a SPF record too, for mark this mails as spam, but I think that probably are any mechanism in postfix for deny the mail from:<xxx@xxxx.com> from any ip outside "mynetworks".

Thanks!!

Regards.

[svar]

hmmm thats true, I see what you mean now...

What kind of change did you do to the config file?
If you find an solution to this, please share it

I found some info that maybe can be useful:
http://www.linuxquestions.org/questions/linux-server-73/postfix-how-to-restrict-access-by-telnet-to-postfix-700848/

[vaya_putada]

Hi svar,

I made a lot of changes in my "main.cf" file of postfix. For example this lines for check RBL's or deny bad senders. But I don't know the command for avoid this behaviour.

Some examples:

# HELO restrictions

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit

# Sender and Receiver restrictions


smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit

I don't know if everything is correct, I'm now learning some tips of postfix, I never used this software before...

Regards!!