[CentOS-es] Detalle en Postfix

David González Romero dgrvedado en gmail.com
Lun Sep 1 21:02:04 UTC 2014


Hola Gente:

Después de estar un tanto ocupado en algunas cuestiones programáticas,
he vuelto a la carga con la administración.

He descubierto por medio de un amigo una posible falla de Postfix. El
tema es el siguiente.

Si yo hago un telnet al puerto 25 de mi server desde una pc con dns
resuelto FQDN real y comprobable e intento enviar a una cuenta interna
de mi serve, diciendole que soy un usuario determinado; mi postfix lo
envia perfectamente.

Ej:
[root en infernus postfix]# telnet algun.mail.com 25
Trying 201.217.51.105...
Connected to algun.mail.com.
Escape character is '^]'.
220 algun.mail.com
ESMTP Postfix
helo mail.otrofqdn.com
250 algun.mail.com
mail from:user en mail.com
250 2.1.0 Ok
rcpt to: user en mail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
.
250 2.0.0 Ok: queued as 8BD741CE0164
quit
221 2.0.0 Bye
Connection closed by foreign host.

Como ven en la conversación el correo fue encolado. A pesar de tener
supuesta autenticación en el servidor.

Ahora mi pregunta va a si esto es posible de frenar.
Paso mi conf.

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = server.mail.com.py
mydomain = mail.com.py
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.30.0/24, 127.0.0.0/8
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP $mail_name
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 20
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

smtpd_tls_security_level = may
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_key_file = /etc/pki/tls/private/timbo.key
smtpd_tls_cert_file = /etc/pki/tls/certs/timbo.crt
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unknown_sender_domain,
        reject_unauth_pipelining

smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit
smtpd_sender_restrictions =
    permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit

mailbox_size_limit = 0
message_size_limit = 0

content_filter=amavisfeed:[127.0.0.1]:10024


Más información sobre la lista de distribución CentOS-es