Ok, you have a small postfix deployed, and you need a fast but effective protection from third people using your server as a rocket-delivering-spam.

The first thing to do, is to configure the variable mynetworks to allow only certain netblocks to use postfix to send email all over the world: mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 X.X.X.X/XX Look out: the ips should be in CIDR notation, so you probably need to apt-get install ipcalc.

Using ipcalc is straight-forward. For example, think our servers are located on the netblock from 188.57.33.80 to 188.57.33.87: $ ipcalc 188.57.33.80 - 188.57.33.87 deaggregate 188.57.33.80 - 188.57.33.87 188.57.33.80/29 Here it is.

Next level is to configure smtp login, if you don’t have a subnet for your clients. aptitude install sasl2-bin libsasl2-modules libsasl2-2 Now enable daemon and configure it for being accessed by postfix, editing /etc/default/saslauthd: START=yes OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Now tell to postfix to use saslauth in /etc/postfix/sasl/smtpd.conf: pwcheck_method: saslauthd mech_list: PLAIN LOGIN

And enable it in /etc/postfix/main.cf: smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

In case of:

postfix/smtpd[638]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

Hint: add postfix to sasl group: $ adduser postfix sasl