Hi, I am hosting just under fifty domains on my virtualmin server. ALL their email is sent via ANOTHER server (that I call trimmail) that runs a pretty savage and effective spam/virus/junk filter - then the email is sent over to my Virtualmin server where users pop off the mail. This has worked really well for quite a few years, but recently, my users (including myself) are getting a ton of junk and crap mail - which is actually coming from my virtualmin server. Spammers are spoofing from our server - so I was wondering if it was possible to setup Postfix so it ONLY ever answers my 'trimmail' server on port 25 and rejects everyone else that tries? I have googled high and low, but can't find the answer - which I think must be pretty easy - but I can't work it out and don't want to stuff up my server!
Are you able to help me on this please? Here is my current main.cf regards steve
command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix myorigin = itginternet.net.au mynetworks = 127.0.0.0/8, 202.60.0.0/16 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain local_recipient_maps = unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES message_size_limit = 10485760 relay_recipient_maps = hash:/etc/postfix/relay_recipients transport_maps = hash:/etc/postfix/transport smtpd_helo_required = yes smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access,reject_non_fqdn_sender,reject_unknown_sender_domain smtpd_data_restrictions = reject_unauth_pipelining header_checks = pcre:/etc/postfix/header_checks body_checks = pcre:/etc/postfix/body_checks
content_filter = smtp-amavis:[127.0.0.1]:10024unverified_recipient_reject_code = 550 smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining, permit_mynetworks,reject_unauth_destination, maps_rbl_domains = zen.spamhaus.org, relays.ordb.org, opm.blitzed.org, dun.dnsrbl.net, spam.dnsrbl.net smtpd_banner = Welcome to ITG Internet Trimmail Spam Filtering System home_mailbox = Maildir/ swap_bangpath = no append_dot_mydomain = no sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail html_directory = no setgid_group = postdrop manpage_directory = /usr/share/man newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME masquerade_domains = $mydomain ; append_at_myorigin = no queue_directory = /var/spool/postfix mail_owner = postfix default_destination_concurrency_limit = 200 #check_client_access regexp:/etc/postfix/white_list #check_client_access regexp:/etc/postfix/rejections smtp_connect_timeout = 300s smtp_helo_timeout = 30s smtp_data_xfer_timeout = 120s smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_security_level = may smtpd_recipient_limit = 100 alias_maps = hash:/etc/aliases smtpd_client_restrictions = check_client_access cidr:/etc/postfix/sinokorea.cidr
Comments
Submitted by andreychek on Fri, 08/20/2010 - 12:18 Comment #1
Howdy -- so what you'd like to do is prevent anyone from contacting port 25 on your Virtualmin server, except for the trimmail server?
The simplest way to set that up would probably be to firewall off all access to port 25, and then setup an allow rule for your trimmail server. Note that if you do that, desktop clients such as Outlook would not be able to access port 25 on your server, which is used by default for allowing clients to send email. You can configure them to use an alternative port such as 465 and 587 for sending email.
You can setup firewall rules either from the command line, or by going into Webmin -> Networking -> Linux Firewall.
Submitted by steve@itgroup.net.au on Fri, 08/20/2010 - 16:40 Pro Licensee Comment #2
thank you for the reply - yes, that sounds about right I think - I have checked it out and it looks a little confusing :).. sorry, but I am a bit of a newbie dummy with linux firewalls. Also, I forgot to mention, that a lot of my clients use WEBMAIL off my virtualmin server, so I guess that sort of messes up that idea - or would they still be able to do that please?