New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nullmailer - Possible to disable open relay?
Is there any configuration setting in nullmailer that would enable the user to disable it working as an open relay? I have one set up using the Sparkpost API, within 3 days my dashboard was shown as made 1.5MM API requests which was mostly denied anyways (the originating IP was some AWS IP which I don't have any service with), and I could not send the legitimate emails because I was exceeding the quota.
Comments
No experience with nullmailer but I imagine you could do several things not related to it's config. One might be tunnel/VPN + bind to 127.0.0.1 instead of 0.0.0.0 (or public IP). Another might be firewall off the port to all but the servers you intend to send mail to it from.
I don't see any relay controls in nullmailer...never heard of it until this thread, but docs are very sparse: https://untroubled.org/nullmailer/HOWTO
An alternative would be to configure postfix...you could probably take all its default configs and just modify mynetworks in main.cf. I believe out of the box, postfix will only accept mail (without authentication) if the IP is in mynetworks or the recipient is local.
Though practically speaking, if you can limit by IP, you can also leave port 587 open and firewall access.
nullmailer is yet another 'drank the djb design koolaid' tool. Documentation will be sparse and it probably doesn't even allow further configuration.
The fact that he's using the API with is key shouldn't be all that hard to wedge into Posfix, Exim, or anything half-sane. You could also write a simple wrapper for msmtp (that acts like a direct sendmail localized plugin) with the header after you auth/etc that traffic, so you don't just blindly pass it on to your services.
Of course, this means maintaining different config files if you want it to do anything beyond pass it off to Sparkpost, but it's still a hell of a lot easier than feeding an MTA which just relays local shit anyhow.
Postfix has a whole page of examples, including use as a null client.