Postfix disable "outbound" email

Question

I am trying to wrap my head around the following. Is it possible to have a postfix-"recieve-only"-server. eg mx.example.com should only receive mail too a specific list of domains. It should not be possible to send mail through it. I can't seem to find any articles addressing this. I know i can disable sasl, but that does not prevent authless sending. Is this even possible to completely disable?

Answer 1

By default, Postfix allows unlimited relay from trusted networks:

mynetworks (default: see "postconf -d" output)

The list of "trusted" remote SMTP clients that have more privileges than "strangers".

In particular, "trusted" SMTP clients are allowed to relay mail through Postfix. See the smtpd_relay_restrictions parameter description.

The default value could be something like the following, with at least local loop-back networks:

mynetworks = 127.0.0.0/8 198.51.100.100/24 [::1]/128 [fe80::]/64

The smtpd_relay_restrictions defaults to:

permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

permit_mynetworks Permit the request when the client IP address matches any network or network address listed in $mynetworks.

Therefore, the easiest way would be to remove permit_mynetworks from this list. (Alternatively one could set mynetworks not to include 127.0.0.0/8, but that may cause other problems.)

Answer 2

The first and the easiest method:

Create iptables rule that will block all outgoing emails. Example:

iptables -A OUTPUT -p tcp --dport 25 -j DROP

But you need to drop all outbound traffic too. You can do this with default polycy:

iptables -P OUTPUT DROP

Or (is better) default policy to accept all and drop rule at the end of chain. And you need to accept all established and related traffic. A bounch of rule will something like this:

iptables -P OUTPUT ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -s <type_host_ip> -j DROP

This is only a part of rules set!!! You need to allow all outbound IMAP and POP3 traffic and other such as SSH!!!

The second method:

Create transport map:

> /etc/postfix/transport

Add the following into this file:

your_domain:
* local:some_local_user

One line per domain.

In /etc/aliases add this string:

some_local_user:  /dev/null

In main.cf:

luser_relay = some_local_user@your_domain.tld
transport_maps = hash:/etc/postfix/transport
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

Run one by one:

postmap /etc/postfix/transport
postmap /etc/aliases
service postfix reload

You can use REJECT action map to send back to users reject message.

Replace transport map with:

your_domain:
* error: not allowed!