Pour mes essais j’ai autorisé les connexions sur mon serveur SMTP qu’à partir de mon réseau privé 192.168.0.0 pour ne pas avoir de connexion de serveur de spam à partir d’internet.
voici notre config
more main.cf
See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = LO NOSPAM ALLOWED
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
myhostname = nimportekoi
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
relayhost = smtp.orange.fr
mynetworks = 192.168.0.0/24
#mynetworks = 0.0.0.0/0
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 192.168.0.10
#sas config
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
permit_sasl_authenticated = yes
smtp_sasl_application_name = smtpd
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext, mutual_auth
#smtpd_sender_restrictions = reject_unauthenticated_sender
#smtpd_reject_unlisted_sender = yes
#smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unverified_sender
check_helo_access hash:/etc/postfix/helo_access,
reject_unknown_helo_hostname
mydomain = machinbidule
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client cbl.abuseat.org
, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client sbl.spamhaus.org, rej
ect_rbl_client list.dsbl.org, reject_rbl_client relays.ordb.org, reject_rbl_clie
nt opm.blitzed.org, reject_rbl_client dsn.rfc-ignorant.org, permit
FICHIER smtpd.conf :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
Je fais un telnet sur le port 25 du serveur et
voila ce que je fais en commande SMTP:
220 LO NOSPAM ALLOWED
HELO robert
250 nimportekoi
MAIL FROM:test@yahoo.fr
250 OK
RCPT TO:robert@wanadoo.fr
DATA
354 Start mail input; end with .
Subject: test
test
.
250 ok queued ad D0F4857FA9
Je ne comprends pas pourquoi ca marche pas, il devrait m’envoyer bouler.
Ce qui est bizarre c’est qu’avec thunderbird j’arrive pas à envoyer de message sans rentrer le login/password SASL.
Donc l’authentification SASL fonctionne mais apparemment uniquement pour les clients de messagerie.
Si je mets mon serveur sur Internet (sans la restriction réseau sur 192.168.0.0) je vais me faire pourrir comme tu l’indiquais par tous les serveurs de SPAM.