Block outsiders from sending mail to inside user.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Block outsiders from sending mail to inside user.

Diego83
Hello.
I'm trying to block a user of our mail server from reciving mail from other domains except ours.
Right now i'm trying to use header_checks parameter to do that but the user can't recieve mail from inside (the message is also rejected).
The regular expression i'm using is:
if /^to: user1@our_domain.*/
!/^from: .*+our_domain.*/ REJECT This user is not allowed to recieve mail from the outside
endif

What i'm trying to say with the above expression is, if recipient is user1@our_domain then check if sender's domain is not the same as user1's. if so, reject the message.


At main.cf :
header_checks = regexp:/etc/postfix/header_checks


Any help is greately appreciated.



 
Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

Sahil Tandon
Diego Ledesma <[hidden email]> wrote:

> I'm trying to block a user of our mail server from reciving mail from other
> domains except ours.
> Right now i'm trying to use header_checks parameter to do that

[...]

IMHO restriction classes are more suitable for this task.
http://www.postfix.com/RESTRICTION_CLASS_README.html

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

Diego83
Thank you for the tip!.

I'm trying to implement the restriction for some users not to be able to send mail to internet, the same way as
http://www.postfix.com/RESTRICTION_CLASS_README.html#internal

The problem i'm having is that the user's that are not in the restriction list get "Relay access denied" when they try to send mail to Internet.

Also, i couldn't only set check_sender_access in smtpd_recipient_restrictions. Doing so i get an error message at postfix's error log saying
 " postfix/smtpd[8141]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains,
reject_unauth_destination, reject, defer or defer_if_permit

Tryed using check_relay_domains or reject_unauth_destination and with both i get the Relay ...  error mentioned above.

Any help is greatly appreciated.



On Wed, Jul 2, 2008 at 9:47 PM, Sahil Tandon <[hidden email]> wrote:
Diego Ledesma <[hidden email]> wrote:

> I'm trying to block a user of our mail server from reciving mail from other
> domains except ours.
> Right now i'm trying to use header_checks parameter to do that

[...]

IMHO restriction classes are more suitable for this task.
http://www.postfix.com/RESTRICTION_CLASS_README.html

--
Sahil Tandon <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

mouss-2
Diego Ledesma wrote:

> Thank you for the tip!.
>
> I'm trying to implement the restriction for some users not to be able to
> send mail to internet, the same way as
> http://www.postfix.com/RESTRICTION_CLASS_README.html#internal
>
> The problem i'm having is that the user's that are not in the restriction
> list get "Relay access denied" when they try to send mail to Internet.
>
> Also, i couldn't only set check_sender_access in
> smtpd_recipient_restrictions. Doing so i get an error message at postfix's
> error log saying
>  " postfix/smtpd[8141]: fatal: parameter "smtpd_recipient_restrictions":
> specify at least one working instance of: check_relay_domains,
> reject_unauth_destination, reject, defer or defer_if_permit
>  

this protects you from becoming an open relay.
> Tryed using check_relay_domains or reject_unauth_destination and with both i
> get the Relay ...  error mentioned above.
>
> Any help is greatly appreciated.
>  

you forgot to show your configuration ('postconf -n' output)
Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

Diego83
Oh. Sorry for that.
Here i post my postfix´s configuration.
------

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = [hidden email]
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
maximal_queue_lifetime = 0
mydestination = mydomain.com, mailserver, localhost.localdomain, localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = /etc/mailname
receive_override_options = no_address_mappings
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relayhost =
sender_bcc_maps = hash:/etc/postfix/sender_bcc
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes

-----

On Fri, Jul 4, 2008 at 3:46 AM, mouss <[hidden email]> wrote:
Diego Ledesma wrote:
Thank you for the tip!.

I'm trying to implement the restriction for some users not to be able to
send mail to internet, the same way as
http://www.postfix.com/RESTRICTION_CLASS_README.html#internal

The problem i'm having is that the user's that are not in the restriction
list get "Relay access denied" when they try to send mail to Internet.

Also, i couldn't only set check_sender_access in
smtpd_recipient_restrictions. Doing so i get an error message at postfix's
error log saying
 " postfix/smtpd[8141]: fatal: parameter "smtpd_recipient_restrictions":
specify at least one working instance of: check_relay_domains,
reject_unauth_destination, reject, defer or defer_if_permit
 

this protects you from becoming an open relay.

Tryed using check_relay_domains or reject_unauth_destination and with both i
get the Relay ...  error mentioned above.

Any help is greatly appreciated.
 

you forgot to show your configuration ('postconf -n' output)

Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

mouss-2
Diego Ledesma wrote:

> Oh. Sorry for that.
> Here i post my postfix´s configuration.
> ------
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> always_bcc = [hidden email]
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> content_filter = amavis:[127.0.0.1]:10024
> home_mailbox = Maildir/
> inet_interfaces = all
> mailbox_size_limit = 0
> maximal_queue_lifetime = 0
> mydestination = mydomain.com, mailserver, localhost.localdomain, localhost
> myhostname = mail.mydomain.com
> mynetworks = 127.0.0.0/8, 192.168.1.0/24
> myorigin = /etc/mailname
> receive_override_options = no_address_mappings
> recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> recipient_delimiter = +
> relayhost =
> sender_bcc_maps = hash:/etc/postfix/sender_bcc
> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_use_tls = yes
>  

so you don't have any restrictions. here is one way to implement your
goal. note that it uses smtpd_sender_restrictions (so you don't have to
care about reject_unauth_destination and don't risk to become an open
relay). do not use this in smtpd_recipient_restrictions unless you have
a very good understanding of restrictions (The OK below will cause
postfix to skip further checks in the same restriction stage).

smtpd_restriction_classes = restricted_recipient

smtpd_sender_restrictions =
    check_recipient_access hash:/etc/postfix/recipient_acl

restricted_recipient =
    check_sender_access hash:/etc/postfix/send_to_restricted
    reject

== recipient_acl:
[hidden email]      restricted_recipient

== send_to_restricted
example.com            OK




Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

Diego83
Thanks very much for that!.
I'll try next Monday when i get back to the office.
One last question...
If i would also want to do the opposite (ie. block inside user from sending mail to the Internet.). Would i need to use smtpd_recipient_restrictions or could it be done using smtpd_sender_restrictions?

Thanks.

On Fri, Jul 4, 2008 at 3:38 PM, mouss <[hidden email]> wrote:
Diego Ledesma wrote:
Oh. Sorry for that.
Here i post my postfix´s configuration.
------

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = [hidden email]
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
maximal_queue_lifetime = 0
mydestination = mydomain.com, mailserver, localhost.localdomain, localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = /etc/mailname
receive_override_options = no_address_mappings
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relayhost =
sender_bcc_maps = hash:/etc/postfix/sender_bcc
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
 

so you don't have any restrictions. here is one way to implement your goal. note that it uses smtpd_sender_restrictions (so you don't have to care about reject_unauth_destination and don't risk to become an open relay). do not use this in smtpd_recipient_restrictions unless you have a very good understanding of restrictions (The OK below will cause postfix to skip further checks in the same restriction stage).

smtpd_restriction_classes = restricted_recipient

smtpd_sender_restrictions =
  check_recipient_access hash:/etc/postfix/recipient_acl

restricted_recipient =
  check_sender_access hash:/etc/postfix/send_to_restricted
  reject

== recipient_acl:
[hidden email]      restricted_recipient

== send_to_restricted
example.com            OK





Reply | Threaded
Open this post in threaded view
|

Re: Block outsiders from sending mail to inside user.

mouss-2
Diego Ledesma wrote:
> Thanks very much for that!.
> I'll try next Monday when i get back to the office.
> One last question...
> If i would also want to do the opposite (ie. block inside user from sending
> mail to the Internet.). Would i need to use smtpd_recipient_restrictions or
> could it be done using smtpd_sender_restrictions?
>  

I may have been unclear. I used smtpd_sender_restrictions just to avoid
you becoming an open relay if you play wrong with
smtpd_recipient_restrictions.

so to stay on the safe side, use smtpd_sender_restrictions,
smtpd_client_restrictions or smtpd_helo_restrictions (whichever you want).


of course, all this assumes the default setup of smtpd_delay_reject =
yes. if you set this to "no", you are supposed to know what you are
doing, and then you're on your own.