Configuring Postfix to Restrict Outbound Mail to Localhost Only


30 views

Postfix operates with two main components: the Mail Submission Agent (MSA) and the Mail Transfer Agent (MTA). The MSA handles outgoing mail submission, while the MTA manages incoming mail delivery. To achieve our goal, we need to configure these components separately.

The main configuration file for Postfix is /etc/postfix/main.cf. We'll need to modify this file to implement our restrictions:

# Basic security settings
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no

To limit outgoing mail to localhost only, we need to modify the mynetworks parameter:

# Only allow localhost to send mail
mynetworks = 127.0.0.0/8 [::1]/128

For the MTA to receive mail from anywhere, we need to ensure these settings:

# Allow connections from any host
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Here's a complete configuration that implements our requirements:

# Network restrictions
mynetworks = 127.0.0.0/8 [::1]/128

# Incoming mail settings
smtpd_recipient_restrictions = 
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    permit

# Outgoing mail restrictions
smtpd_client_restrictions = 
    permit_mynetworks,
    reject_unknown_client_hostname,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit

# Enable submission port for localhost
submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

After making changes, always test your configuration:

# Check configuration syntax
postfix check

# Reload Postfix
systemctl reload postfix

# Test local submission
echo "Test message" | mail -s "Test" user@example.com

# Verify restrictions
telnet your.server.ip 25

For enhanced security, consider implementing these measures:

# Enable TLS
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes

# Rate limiting
anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30

Postfix operates with multiple components: the Mail Submission Agent (MSA) for outgoing mail and Mail Transfer Agent (MTA) for incoming mail. The key distinction is that MSA handles locally generated mail while MTA processes external connections.

Edit /etc/postfix/main.cf with these critical parameters:

# Restrict outgoing mail to localhost only
smtpd_client_restrictions = permit_mynetworks, reject
mynetworks = 127.0.0.0/8
inet_interfaces = all

Add these directives to control mail flow precisely:

# Allow submissions only from localhost
smtpd_recipient_restrictions = 
    permit_mynetworks,
    reject_unauth_destination

# Enable submission port with stricter rules
submission inet n - - - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

After making changes, verify with:

postfix check
systemctl reload postfix

Test locally and remotely:

# Local test (should work)
telnet localhost 25
EHLO localhost
MAIL FROM: test@localhost

# Remote test (should be rejected)
telnet your.server.ip 25
EHLO remote.host

Check logs for configuration errors:

tail -f /var/log/mail.log
grep 'reject' /var/log/mail.log

If encountering permission issues, verify:

postconf -n | grep mynetworks
postconf -n | grep smtpd_restrictions

For systems requiring authenticated submissions:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination