Posted by: Eric Hansen
authentication, Postfix, SMTP
Basically every guide you see online or read about on how to set up a SMTP server says you need to have SMTP authentication enabled to be safe (and to avoid open relay attacks). While yes, you do need this if you’re running an enterprise-level system that requires remote connections from smart phones, laptops/PCs at home, etc…, what about those that do not run into this issue?
The thought process is easy and clear for both sides. While SMTP authentication does give you security with your mail server, if its just you (or everyone you know) who are using the server, and its behind a LAN-only, why put that extra overhead in place?
Here’s an eample: My business’ server is behind my LAN. My mail server is listening on 0.0.0.0:25. I do not have SMTP authentication enabled. However, my mail server is still not an open relay. How does this work? I’ll show you (in Postfix).
All it takes in Postfix is one line to allow security without overhead:
mynetworks = 192.168.1.0/24, 127.0.0.0/8
What this does is tell Postfix that the specified networks (separated with a comma) are allowed to send e-mail. For example, if my computer’s IP is 192.168.1.40, then I will be able to send e-mail even without authenticating. However, if I was at Star Bucks and tried to send e-mail, the IP address would be outside of the allowed list, and thus not able to send e-mail. This small trick will eliminate the open relay risk without causing overhead due to encryption/decryption using TLS/SSL.
This solution is not “secure”, however, as anyone in the network can send e-mails, which is why I do not suggest using this for more than single-user networks. In any other case, SMTP authentication is highly advisable. But, say you’re running a development virtual machine to test some new PHP code, and you want to test the e-mail ability. You can just install Postfix, edit this line, make a user’s mailbox and send some test e-mails.
If you’re wondering, also, how can you send e-mail if you are at a Star Bucks, Panera, etc… the trick is to use a proxy to your network. My favorite method in this is to use SSH with public key authentication, but anything can be usable (VPN, for example).