Otdfbt

Good day to you all.
Today, I was setting up postfix on my CentOS 7 vps.

What I want

I would like my server/postfix act according to the following rules:

1. Everyone on the planet should be able to mail foo@server.com




2. Postfix must forward this mail to bar@externalmail.com



3. Nothing else may get sent to any domain

For simplicity, I call my domain server.com.

What I have

Right now,
I can send mails to foo@server.com, which do get forwarded to bar@externalmail.com (tested via telnet like this). All DNS records are set correctly, SSL certificates are working well.

My problem

I noticed I can send mails to any domains I want by connecting through telnet.

Sadly, spambots noticed this too, as I got a number of unknown connections, according to my /var/log/maillog. I checked some ip adresses via an online blacklist checker and all were blacklisted.

I am experienced (enough) in Linux systems, but very new to setting up postfix servers according to my wishes. Right now, I just blocked port 25 in ufw to stop the bots, until the problem is solved.

Question

How can one setup postfix to forward only mails with specific receivers (foo@server.com) to specific forward adresses (bar@externalmail.com)?

Secondly, how can one block ip adresses which are blocked on lists as spamhaus and CBL?

Configs

Here is my /etc/postfix/main.cf (adapted to question, excluding comments):

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
###################################
# My stuff
###################################
# Host and site name.
myhostname = server.com
mydomain = server.com
myorigin = server.com
# Virtual aliases.
virtual_alias_domains = server.com
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem

And here is my /etc/postfix/master.cf:

smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

The last file which I think could be important is /etc/postfix/virtual:

foo@server.com bar@externalmail.com

A last word

The configs I have are all assembled from whatever I could find on the internet I thought was useful to achieve what I want postfix to do. I am very new in this postfix-setup-world, and must say it is one tough nut to crack. If you find anything wrong in my configs, please post a comment!

Edit

Today, I configured Postfix with some restrictions. These restrictions seem to fix my problem and enforce the behaviour I want. Here are the new relevant parts in /etc/postfix/main.cf:

###################################
smtpd_client_restrictions =
 reject_invalid_hostname,
 reject_rbl_client zen.spamhaus.org,
 reject_unknown_client

###################################
smtpd_helo_restrictions =
 reject_unauth_pipelining,
 reject_non_fqdn_hostname,
 reject_invalid_hostname,
 reject_unknown_hostname

###################################
smtpd_sender_restrictions =
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unknown_address,
 reject_unknown_reverse_client_hostname,
 reject_unknown_client_hostname

###################################
smtpd_recipient_restrictions = 
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_unauth_destination

After finding more information about blocking, I created a new configuration.
This one is made to block all unknown[ipv4] connections from sending mail.

Also, it blocks attempts to send mail outside my domain, server.com.

I tested with mxtoolbox open relay tool to see if it works, and it did.

For relay control, use smtpd_relay_restrictions, such as:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Use smtpd_recipient_restrictions for spam control, for example:

smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org

Required reading:

http://www.postfix.org/SMTPD_ACCESS_README.html

http://www.postfix.org/postconf.5.html