Limit email relaying to one user
Q We currently have an email server running Postfix, and users either use Outlook Express or the web-based SquirrelMail (running on the server). This works fine at the moment, and only clients on the internal network can relay email to the outside world. We recently appointed someone who needs access 'on the road' via a smartphone. This is fine, as we've got IMAP open externally for his folders, and he can use our Postfix SMTP server to send email - but only to local recipients (to prevent us being a spam relay). We'd ideally like for said person to be able to sendemail to anywhere. What part of Postfix would I go about changing to allow only him to relay email to other domains and from outside of $my_networks, without affecting the current rules allowed by webmail or internal clients?
A The answer lies with SMTP authentication, which will allow users to authenticate themselves before sending mail. Postfix can be configured to relay only mail from authenticated users. Postfix uses Cyrus-SASL for authentication, so make sure this is installed and that the saslauthd service is started when you boot. To configure Postfix to use Cyrus-SASL, edit /etc/postfix/main.cf and make sure that mydomain, myhostname and mynetworks are correctly set. Now add the following lines to the end of the file:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
The fourth line is optional, it is required with some versions of Outlook Express and Microsoft Exchange. If your user is only using his smartphone, try without this line. Restart Postfix, or force it to reload its configuration and any valid user on your system should be able to use your SMTP server from anywhere, provided they set their mail program to use SMTP authentication. Users on your network will still be able to send mail without altering their mailer configuration. There is a detailed HOWTO on this subject at http://postfix.state-of-mind.de/patrick.koetter/smtpauth. It also covers using TLS to encrypt communication between your user and the server. This should be considered essential, otherwise your users could be sending passwords as clear text. You can also use SASL for authentication from inside your network. For example, you could configure Postfix on a school network so that all users can send mail within the network but only teachers can send mail outside.
Follow us on Identi.ca or Twitter