How to allow relaying per domain?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to allow relaying per domain?

Hans van Zijst
Is it possible to let Postfix decide which hosts to relay mail for,
based on the domain from which that mail is sent?

I'm building a relayhost that should accept e-mail from a whole bunch of
internal mailservers, and relay it to the Internet, after scanning,
DKIM-signing and rate limiting.

But I don't want to give Postfix one list of all hosts that are allowed
to relay mail through it, because that would allow users of all internal
servers to send mail from all domains. I'm looking for a way to let
Postfix check if the host is allowed to send mail for the domain involved.

I'm using an LDAP backend and what I thought I wanted to do under
"smtpd_relay_restrictions" is a "check_client_access" query for the
domain, and return the attribute which contains the host(s) that are
allowed, with "PERMIT", like this:

smtpd_relay_restrictions =  check_client_access ldap:relay_access

Where the file relay_access contains something like:

query_filter = domainName=%d
result_attribute = allowedHost
result_format = %s PERMIT

But the input key here is not the domain name, but the address of the
smtpserver sending the message.

How do I match a domain name with an IP-address or FQDN? Or am I looking
in the wrong direction here?

Kind regards,

Hans
Reply | Threaded
Open this post in threaded view
|

Re: How to allow relaying per domain?

Nick Tait

Hi Hans.

I'm not sure if there is an easier way, but one way to achieve this is with a restriction class per server. (BTW I don't know much about LDAP so the example below is based on files...)

main.cf:
	indexed = ${default_database_type}:${config_directory}/
	smtpd_restriction_classes = server1_sender_restrictions, server2_sender_restrictions, server3_sender_restrictions
	smtpd_relay_restrictions =
		check_client_access ${indexed}allservers_client_access,
		reject_unauth_destination
	server1_sender_restrictions = check_sender_access ${indexed}server1_sender_access, reject
	server2_sender_restrictions = check_sender_access ${indexed}server2_sender_access, reject
	server3_sender_restrictions = check_sender_access ${indexed}server3_sender_access, reject

allservers_client_access:
	server1.internal.example.com	server1_sender_restrictions
	server2.internal.example.com	server2_sender_restrictions
	server3.internal.example.com	server3_sender_restrictions

server1_sender_access:
	example.com	ok
	<>	ok

server2_sender_access:
	example.org	ok
	<>	ok

server3_sender_access:
	example.net	ok
	<>	ok

I use something like this myself and it works well if the number of servers is small and doesn't change often.

Nick.


On 25/09/20 2:42 am, Hans van Zijst wrote:
Is it possible to let Postfix decide which hosts to relay mail for,
based on the domain from which that mail is sent?

I'm building a relayhost that should accept e-mail from a whole bunch of
internal mailservers, and relay it to the Internet, after scanning,
DKIM-signing and rate limiting.

But I don't want to give Postfix one list of all hosts that are allowed
to relay mail through it, because that would allow users of all internal
servers to send mail from all domains. I'm looking for a way to let
Postfix check if the host is allowed to send mail for the domain involved.

I'm using an LDAP backend and what I thought I wanted to do under
"smtpd_relay_restrictions" is a "check_client_access" query for the
domain, and return the attribute which contains the host(s) that are
allowed, with "PERMIT", like this:

smtpd_relay_restrictions =  check_client_access <a class="moz-txt-link-freetext" href="ldap:relay_access">ldap:relay_access

Where the file relay_access contains something like:

query_filter = domainName=%d
result_attribute = allowedHost
result_format = %s PERMIT

But the input key here is not the domain name, but the address of the
smtpserver sending the message.

How do I match a domain name with an IP-address or FQDN? Or am I looking
in the wrong direction here?

Kind regards,

Hans
Reply | Threaded
Open this post in threaded view
|

Re: How to allow relaying per domain?

Hans van Zijst
Hi Nick,

Thanks for your reaction, it gave me some food for thought.

I can see how this works for a limited number of servers, but
unfortunately (?) our environment is a lot bigger than that.

I think my solution is to write a policy service:

http://www.postfix.org/SMTPD_POLICY_README.html

That would give me all the variables I need, at the disadvantage of
having to write and maintain some separate code.

Kind regards,

Hans


On 27-09-2020 08:32, Nick Tait wrote:

> Hi Hans.
>
> I'm not sure if there is an easier way, but one way to achieve this is
> with a restriction class per server. (BTW I don't know much about LDAP
> so the example below is based on files...)
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_restriction_classes = server1_sender_restrictions, server2_sender_restrictions, server3_sender_restrictions
> smtpd_relay_restrictions =
> check_client_access ${indexed}allservers_client_access,
> reject_unauth_destination
> server1_sender_restrictions = check_sender_access ${indexed}server1_sender_access, reject
> server2_sender_restrictions = check_sender_access ${indexed}server2_sender_access, reject
> server3_sender_restrictions = check_sender_access ${indexed}server3_sender_access, reject
>
> allservers_client_access:
> server1.internal.example.com server1_sender_restrictions
> server2.internal.example.com server2_sender_restrictions
> server3.internal.example.com server3_sender_restrictions
>
> server1_sender_access:
> example.com ok
> <> ok
>
> server2_sender_access:
> example.org ok
> <> ok
>
> server3_sender_access:
> example.net ok
> <> ok
>
> I use something like this myself and it works well if the number of
> servers is small and doesn't change often.
>
> Nick.
>
>
> On 25/09/20 2:42 am, Hans van Zijst wrote:
>> Is it possible to let Postfix decide which hosts to relay mail for,
>> based on the domain from which that mail is sent?
>>
>> I'm building a relayhost that should accept e-mail from a whole bunch of
>> internal mailservers, and relay it to the Internet, after scanning,
>> DKIM-signing and rate limiting.
>>
>> But I don't want to give Postfix one list of all hosts that are allowed
>> to relay mail through it, because that would allow users of all internal
>> servers to send mail from all domains. I'm looking for a way to let
>> Postfix check if the host is allowed to send mail for the domain involved.
>>
>> I'm using an LDAP backend and what I thought I wanted to do under
>> "smtpd_relay_restrictions" is a "check_client_access" query for the
>> domain, and return the attribute which contains the host(s) that are
>> allowed, with "PERMIT", like this:
>>
>> smtpd_relay_restrictions =  check_client_access ldap:relay_access
>>
>> Where the file relay_access contains something like:
>>
>> query_filter = domainName=%d
>> result_attribute = allowedHost
>> result_format = %s PERMIT
>>
>> But the input key here is not the domain name, but the address of the
>> smtpserver sending the message.
>>
>> How do I match a domain name with an IP-address or FQDN? Or am I looking
>> in the wrong direction here?
>>
>> Kind regards,
>>
>> Hans
Reply | Threaded
Open this post in threaded view
|

Re: How to allow relaying per domain?

Dominic Raferd
What about having multiple different smtpd services on different
ports; then set up the LAN mail agents to send to whichever port is
appropriate for their access, and you can have entirely bespoke
settings for each one.

On Mon, 28 Sep 2020 at 10:02, Hans van Zijst <[hidden email]> wrote:

>
> Hi Nick,
>
> Thanks for your reaction, it gave me some food for thought.
>
> I can see how this works for a limited number of servers, but
> unfortunately (?) our environment is a lot bigger than that.
>
> I think my solution is to write a policy service:
>
> http://www.postfix.org/SMTPD_POLICY_README.html
>
> That would give me all the variables I need, at the disadvantage of
> having to write and maintain some separate code.
>
> On 27-09-2020 08:32, Nick Tait wrote:
> > Hi Hans.
> >
> > I'm not sure if there is an easier way, but one way to achieve this is
> > with a restriction class per server. (BTW I don't know much about LDAP
> > so the example below is based on files...)
> > ...
> >
> > Nick.
> >
> >
> > On 25/09/20 2:42 am, Hans van Zijst wrote:
> >> Is it possible to let Postfix decide which hosts to relay mail for,
> >> based on the domain from which that mail is sent?
> >>
> >> I'm building a relayhost that should accept e-mail from a whole bunch of
> >> internal mailservers, and relay it to the Internet, after scanning,
> >> DKIM-signing and rate limiting.
> >>
> >> But I don't want to give Postfix one list of all hosts that are allowed
> >> to relay mail through it, because that would allow users of all internal
> >> servers to send mail from all domains. I'm looking for a way to let
> >> Postfix check if the host is allowed to send mail for the domain involved.
> >>
> >> I'm using an LDAP backend and what I thought I wanted to do under
> >> "smtpd_relay_restrictions" is a "check_client_access" query for the
> >> domain, and return the attribute which contains the host(s) that are
> >> allowed, with "PERMIT", like this:
> >>
> >> smtpd_relay_restrictions =  check_client_access ldap:relay_access
> >>
> >> Where the file relay_access contains something like:
> >>
> >> query_filter = domainName=%d
> >> result_attribute = allowedHost
> >> result_format = %s PERMIT
> >>
> >> But the input key here is not the domain name, but the address of the
> >> smtpserver sending the message.
> >>
> >> How do I match a domain name with an IP-address or FQDN? Or am I looking
> >> in the wrong direction here?
> >>
> >> Kind regards,
> >>
> >> Hans
Reply | Threaded
Open this post in threaded view
|

Re: How to allow relaying per domain?

Viktor Dukhovni
In reply to this post by Hans van Zijst
On Thu, Sep 24, 2020 at 04:42:22PM +0200, Hans van Zijst wrote:

> I'm building a relayhost that should accept e-mail from a whole bunch of
> internal mailservers, and relay it to the Internet, after scanning,
> DKIM-signing and rate limiting.
>
> But I don't want to give Postfix one list of all hosts that are allowed
> to relay mail through it, because that would allow users of all internal
> servers to send mail from all domains. I'm looking for a way to let
> Postfix check if the host is allowed to send mail for the domain involved.

While this is possible, it is not a good idea to do this.  So the right
answer to "HOW" is probably "DON'T".

The reason for this is that about email routing is more complicated
in general than just a linear delivery chain from a single author
or sender to the originally addressed mailboxes.

Email from a sender in domain A may be addressed to a "distribution
list" at domain B, that contains some recipients there, but also
forwards the mail to domains C, and D and maybe even some mailboxes
on the Internet.  The envelope sender may or may not change en-route,
the message may be redirected by a recipient who adds "Resent-From"
headers, but leaves "From:" unchanged...

If you erect walls between the domains, you do violence legitimate
email delivery use-cases.

--
    Viktor.