Ok, you have a small postfix deployed, and you need a fast but effective protection from third people using your server as a rocket-delivering-spam.
The first thing to do, is to configure the variable mynetworks to allow only certain netblocks to use postfix to send email all over the world:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 X.X.X.X/XX
Look out: the ips should be in CIDR notation, so you probably need to apt-get install ipcalc.
Using ipcalc is straight-forward. For example, think our servers are located on the netblock from 220.127.116.11 to 18.104.22.168:
$ ipcalc 22.214.171.124 - 126.96.36.199
deaggregate 188.8.131.52 - 184.108.40.206
Here it is.
Next level is to configure smtp login, if you don’t have a subnet for your clients.
aptitude install sasl2-bin libsasl2-modules libsasl2-2
Now enable daemon and configure it for being accessed by postfix, editing /etc/default/saslauthd:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Now tell to postfix to use saslauth in /etc/postfix/sasl/smtpd.conf:
mech_list: PLAIN LOGIN
And enable it in /etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
In case of:
postfix/smtpd: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Hint: add postfix to sasl group:
$ adduser postfix sasl