Hi,
I use an Active Directory configuration and NethSecurity as the frewall. I forward the ports required from the internet to the NethServer 8 cluster (ie port 25). Using the runagent -m mail1 podman exec postfix sqlite3 /srv/pcdb.sqlite ‘INSERT INTO mynetworks (network) VALUES(“192.168.1.0/24”);’ command opens up the local network to allow devices to send insecure email, but also allows forwarded external ip’s to send email through the relay. I had to remove the above (even when I specified only the ip for the internal application spammers could still send emails using @mydomain.
Port forwarding should not change the source address of a packet, so the mynetworks rule should not apply on packets coming in from external through port forwarding. I do not know Nethsecurity, since I use opnsense, but did you enable something like SNAT (source network address translation) on the forwarding rule?
No nothing like that In the logs it shows the external IP connecting to the port 25 and not requiring authentication to send mail out. It had me confused as well as I’d expect external IPs to be blocked by postfix.
Do you mean the WAN IP of NethSecurity or the real source IP from the external mail client?
Sorry should have been more specific.
In the logs it shows the real source IP address of the bot net mail client, not my public WAN address.
Did you migrate the mail server from NS7 to NS8?
No a new install on a fresh Debian system in January 2024. Tried installing on Rocky Linux at the time but got an error during install (towards the end of the script) which stopped the gui from working (tried a couple if times with a fresh Rocky Linux each time) and didn’t have time to diagnose as I was trying to get the old NS8 operational again after it crashed on a live system.
So it might be a Debian specific bug… I haven’t a spare server at present to try reinstalling.
it seems to be a bug. I tested on Debian and same issue. It’s NOT a NethSecurity issue.
After adding an address/network to mynetworks the server is an open relay even if the added address/network doesn’t exist. \cc @davidep
You were right, let’s close this discussion and continue here: