How can I block outside mail FROM postmaster@mydomain.com?

sventechie asked:

A security firm has been testing my mail server and claims my Postfix daemon is an open relay. The evidence is as follows (valid public IP for mail.mydomain.com has been changed to 10.1.1.1 for security):

Relay User: postmaster Relay Domain: 10.1.1.1
Transaction Log: EHLO elk_scan_137 250-mail.mydomain.com 250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME
250 DSN
MAIL FROM: postmaster@[10.1.1.1]
250 2.1.0 Ok
RCPT TO: postmaster@[10.1.1.1]
250 2.1.5 Ok

I’ve already blocked mail to root, but clearly I should not block postmaster. I feel that the ability to send mail from a server to itself does not make an open relay. But how can I safely block a spoofed postmaster@mail.mydomain.com sender?

[N.B. I’ve scanned myself using mxtoolbox.com and they say it is secure and not an open relay]

My answer:


The fact that someone can send you mail addressed to your own mail server’s IP address has absolutely no bearing on whether the mail server is an open relay.

Open relays accept mail for any and all systems outside their administrative domain and forward them onward. This clearly is not what’s demonstrated here.

Ask the security firm to share whatever it is they’ve been smoking, since clearly it’s really good stuff.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.