Blocking mail from all but one domain

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking mail from all but one domain

Alex Regan
Hi,
I have a postfix-3.1.4 installation and have been given a request to
block all incoming mail from all but a single specific domain and
block all outgoing mail with the exception of only that same single
specific domain.

Mail is received by a relay server, mail01.example.com, then forwarded
to a pop/imap server, host1.example.com on the same network. We wish
to reject all inbound mail with the exception of host2.example.com
from being received by host1.example.com. We also wish to reject all
outbound mail on host2.example.com from being sent unless it is
destined for host1.example.com.

host2.example.com is also using postfix-3.1.4.

How would I go about doing that? I thought I could configure a
check_sender_access restriction, list host2.example.com as "ok" then
reject everything else:

host2.example.com           OK
*                                         554 REJECT

For host2.example.com, users send mail using either submission or
webmail which talks to postfix on localhost/25. I believe this would
be a smtpd recipient restriction?
Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from all but one domain

Dominic Raferd


On 11 April 2018 at 03:27, Alex <[hidden email]> wrote:
Hi,
I have a postfix-3.1.4 installation and have been given a request to
block all incoming mail from all but a single specific domain and
block all outgoing mail with the exception of only that same single
specific domain.

Mail is received by a relay server, mail01.example.com, then forwarded
to a pop/imap server, host1.example.com on the same network. We wish
to reject all inbound mail with the exception of host2.example.com
from being received by host1.example.com. We also wish to reject all
outbound mail on host2.example.com from being sent unless it is
destined for host1.example.com.

host2.example.com is also using postfix-3.1.4.

How would I go about doing that? I thought I could configure a
check_sender_access restriction, list host2.example.com as "ok" then
reject everything else:

host2.example.com           OK
*                                         554 REJECT

For host2.example.com, users send mail using either submission or
webmail which talks to postfix on localhost/25. I believe this would
be a smtpd recipient restriction?

Put these entries in a client-based, not sender-based, restriction e.g.

​check_client_access hash:/etc/postfix/client_access

This could appear in any of the restriction lists, including smtpd_recipient_restrictions. The first restriction list processed, I believe, is smtpd_client_restrictions.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking mail from all but one domain

Viktor Dukhovni


> On Apr 11, 2018, at 1:49 AM, Dominic Raferd <[hidden email]> wrote:
>
>> How would I go about doing that? I thought I could configure a
>> check_sender_access restriction, list host2.example.com as "ok" then
>> reject everything else:
>>
>> host2.example.com           OK
>> *                           554 REJECT

See the documentation:

        http://www.postfix.org/access.5.html

where you'll find that "*" is not a documented lookup key for access(5) tables.

>> For host2.example.com, users send mail using either submission or
>> webmail which talks to postfix on localhost/25. I believe this would
>> be a smtpd recipient restriction?
>
> Put these entries in a client-based, not sender-based, restriction e.g.
>
> ​check_client_access hash:/etc/postfix/client_access

The OP has not been at all clear about whether the policy applies to the
envelope sender address, or the connecting client hostname.

Whitelist policies based on the connecting client hostname are fragile,
DNS lookups can tempfail, and so one needs to make sure that any resulting
rejection is also a temporary failure.

> This could appear in any of the restriction lists, including smtpd_recipient_restrictions.

This is also nuanced, as one must take care to not become an open relay
for forgeries of the envelope sender address, or even for a particular
host that is authorized to send inbound email, but should not as a result
be also allowed to send outbound email to remote domains.

If the intent is to limit mail to a single client hostname (not envelope
sender domain) and refuse everyone else then the correct configuration is:

        # Postfix >= 2.10
        # No relay service
        #
        smtpd_relay_restrictions = reject_unauth_destination

        smtpd_client_restrictions =
                #
                # softfail when DNS resolution tempfails,
                # hardfail for clients with no FcrDNS
                #
                reject_unknown_client_hostname,
                #
                # Postfix >= 3.0, use another table type with older versions
                # permit just the whitelisted host
                #
                check_client_access inline:{smtp.example.com = OK}
                #
                #  Reject everyone else
                #
                reject

--
        Viktor.