How to ensure that either FROM or TO is local

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

How to ensure that either FROM or TO is local

Serge Fonville
Hi,

I'm trying to install a postfix server and everything seemed to work ok.
Until I tried to mail from a remote domain to a remote domain, but
from 'telnet localhost 25'
I understand (suspect) this works because 127.0.0.0/8 is in mynetworks.

How do I ensure that my mail server can only send mails either to or
from mydomains?

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_transport = zarafa
mydestination = mydomainformail.org, mailserver.mydomainformail.org
mydomain = mydomainformail.org
myhostname = mailserver.mydomainformail.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = Infracom Mail Server
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf

Thanks in advance.

Regards,

Serge Fonville

--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Brian Evans - Postfix List
On 12/30/2009 11:21 AM, Serge Fonville wrote:

> Hi,
>
> I'm trying to install a postfix server and everything seemed to work ok.
> Until I tried to mail from a remote domain to a remote domain, but
> from 'telnet localhost 25'
> I understand (suspect) this works because 127.0.0.0/8 is in mynetworks.
>
> How do I ensure that my mail server can only send mails either to or
> from mydomains?
>  

Postfix, by default, only queues mail that is destined for that system
(mydestination or virtual settings), included in mynetworks, or listed
in relay_domains
This only changes if *you* tell Postfix not to.  The config below does
not follow this.
There are "open relay" test websites you can verify this at.

> postconf -n
>
> smtpd_banner = Infracom Mail Server
>  

Don't change this unless you have a really good reason.
Some functionality can be lost by those connecting to you and the
current line breaks the SMTP standard.

> smtpd_use_tls = yes
>  

This is deprecated.  Newer versions of Postfix should use
"smtpd_tls_security_level = may"
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Brian Evans - Postfix List
On 12/30/2009 1:45 PM, Brian Evans - Postfix List wrote:
> This only changes if *you* tell Postfix not to. The config below does
> not follow this.

Should read:
This only changes if *you* tell Postfix not to. The config below does
not show any such weakness.

Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
Thx for the reply.

>> postconf -n
>>
>> smtpd_banner = Infracom Mail Server
>>
> Don't change this unless you have a really good reason.
> Some functionality can be lost by those connecting to you and the
> current line breaks the SMTP standard.
Ok, thx I'll revert this to the default then ;-)

> There are "open relay" test websites you can verify this at.
The mail server isn't public currently, but thx for the reminder :-)

> Postfix, by default, only queues mail that is destined for that system
> (mydestination or virtual settings), included in mynetworks, or listed
> in relay_domains
> This only changes if *you* tell Postfix not to. The config below does
> not show any such weakness.
Hmmm, so basically there is no way to enforce that mail sent through
the mail server will always be either from or to one of my domains :-(

Not really what I was hoping for, but thx for clarifying this Brian!

Regards,

Serge Fonville

--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
I was wondering...

>>> smtpd_banner = Infracom Mail Server
>>>
>> Don't change this unless you have a really good reason.
>> Some functionality can be lost by those connecting to you and the
>> current line breaks the SMTP standard.
> Ok, thx I'll revert this to the default then ;-)
>
>> There are "open relay" test websites you can verify this at.
> The mail server isn't public currently, but thx for the reminder :-)
>
>> Postfix, by default, only queues mail that is destined for that system
>> (mydestination or virtual settings), included in mynetworks, or listed
>> in relay_domains
>> This only changes if *you* tell Postfix not to. The config below does
>> not show any such weakness.
> Hmmm, so basically there is no way to enforce that mail sent through
> the mail server will always be either from or to one of my domains :-(

Would it be possible to use sender verification to match negatively?
That way I could run two instances of postfix and have one check
sender and the other recipient
If it comes from the internal interface at lease sender should be local
if it comes from the external interface at least recipient should be local

Not sure if this is possible, but it would definitely solve it, at least I think

Regards,

Serge Fonville

--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
>>> Postfix, by default, only queues mail that is destined for that system
>>> (mydestination or virtual settings), included in mynetworks, or listed
>>> in relay_domains
>>> This only changes if *you* tell Postfix not to. The config below does
>>> not show any such weakness.
>> Hmmm, so basically there is no way to enforce that mail sent through
>> the mail server will always be either from or to one of my domains :-(
>
> Would it be possible to use sender verification to match negatively?
> That way I could run two instances of postfix and have one check
> sender and the other recipient
> If it comes from the internal interface at lease sender should be local
> if it comes from the external interface at least recipient should be local
>
> Not sure if this is possible, but it would definitely solve it, at least I think

I believe I have the solution.
Unfortunately no way to implement it :-(

When I add the following to main.cf, this should perform the check, so
only people I know are allowed to send through postfix and they can
send anywhere. This should also prevent anyone to send mail from an
address that isn't one of mine.

smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions =

Unfortunately, it does not work.

The output of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination =
myhostname = server01.fonville-it.nl
mynetworks = 0.0.0.0
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_mailbox_domains = mail.fonville-it.nl, fonville-it.nl
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
virtual_transport = zarafa

What have I done wrong?

Regards,

Serge Fonville

--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Barney Desmond
Questions similar to yours come up fairly often, I'm not sure why
noone's jumped in yet with a rough solution that will do what you
want. What you've mentioned you want:

> How do I ensure that my mail server can only send mails either to or
> from mydomains?

Consider that there are three situations you want to worry about:
1. Postfix receiving a mail for final delivery as the destination
(local delivery)
2. Postfix receiving a mail for delivery to "somewhere else" on the
internet (relaying)
3. Postfix receiving a mail submitted locally, destined for "somewhere
else" on the internet (this is a special case of (2) because "local"
is usually privileged)

* Assume we ignore (2) because Postfix will not act as an anonymous
relay by default.
* Postfix will only accept mail for local domains, so (1) works as you
expect. Accepting mail for remote domains would be considered relaying
* Postfix (by default) *will* accept mail and relay it to remote
domains, if the client is local. That covers case (3)

I *think* the short, correct answer is to use a policy server:
http://www.postfix.org/SMTPD_POLICY_README.html

Another alternative may be restriction classes, but that can get a bit
messy. I personally wouldn't trust myself to get this right, so I have
no examples of my own to offer.
http://www.postfix.org/RESTRICTION_CLASS_README.html


> When I add the following to main.cf, this should perform the check, so
> only people I know are allowed to send through postfix and they can
> send anywhere. This should also prevent anyone to send mail from an
> address that isn't one of mine.
>
> smtpd_reject_unlisted_recipient = no
> smtpd_reject_unlisted_sender = yes
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> smtpd_sender_restrictions =

I've not used the smtpd_reject_unlisted_* options before myself, but I
suspect that won't work as you expect.

> Unfortunately, it does not work.

When you report that something doesn't work, it's best to provide log
entries that support what you're saying. Basically, it's most helpful
if you:
1. Describe what you expected to happen
2. Describe what you saw actually happened.
3. Show the log entries so we can see what happened.

> The output of postconf -n
<snip>

> mydestination =
This is likely to be wrong. I can see you're using virtual mailboxes,
but not having any local domains at all is odd.

> mynetworks = 0.0.0.0
This is *definitely* very wrong! smtpd_recipient_restrictions will
allow ANY client in mynetworks to relay mail to any destination. I
don't know if using smtpd_reject_unlisted_sender would prevent
anything going wrong here, but this is likely to make you an open
relay.
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
Thx for the reply

> Questions similar to yours come up fairly often, I'm not sure why
> noone's jumped in yet with a rough solution that will do what you
> want. What you've mentioned you want:
>
>> How do I ensure that my mail server can only send mails either to or
>> from mydomains?
>
> I *think* the short, correct answer is to use a policy server:
> http://www.postfix.org/SMTPD_POLICY_README.html
I will look into those then

>> When I add the following to main.cf, this should perform the check, so
>> only people I know are allowed to send through postfix and they can
>> send anywhere. This should also prevent anyone to send mail from an
>> address that isn't one of mine.
>>
>> smtpd_reject_unlisted_recipient = no
>> smtpd_reject_unlisted_sender = yes
>> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>> smtpd_sender_restrictions =
>> Unfortunately, it does not work.
>
> When you report that something doesn't work, it's best to provide log
> entries that support what you're saying. Basically, it's most helpful
> if you:
> 1. Describe what you expected to happen
> 2. Describe what you saw actually happened.
> 3. Show the log entries so we can see what happened.
With the current configuration I'd expect some sort of 'denied'
message for MAIL FROM: when it is not in mydomains
instead I get '250 2.1.0 Ok' when specifying a MAIL FROM that is not
in mydomains

For example:
Config:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination =
myhostname = server01.fonville-it.nl
mynetworks = 0.0.0.0
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions =
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_mailbox_domains = mail.fonville-it.nl, fonville-it.nl
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
virtual_transport = zarafa

Telnet session;
220 server01.fonville-it.nl ESMTP Postfix (Ubuntu)
ehlo fonville-it.nl
250-server01.fonville-it.nl
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <serge[DOT]fonville[AT]gmail[DOT]com>
250 2.1.0 Ok
RCPT TO: <sergefonville[AT]fonville-it[DOT]nl>
250 2.1.5 Ok
RSET
250 2.0.0 Ok
MAIL FROM: <sergefonville[AT]fonville-it[DOT]nl>
250 2.1.0 Ok
RCPT TO: <serge[DOT]fonville[AT]gmail[DOT]com>
554 5.7.1 <<serge[DOT]fonville[AT]gmail[DOT]com>: Relay access denied
QUIT
221 2.0.0 Bye

Log:
Jan  3 14:36:10 server01 postfix/smtpd[9110]: connect from localhost[127.0.0.1]
Jan  3 14:36:38 server01 postfix/smtpd[9110]: DF06F5302F:
client=localhost[127.0.0.1]
Jan  3 14:37:08 server01 postfix/smtpd[9110]: NOQUEUE: reject: RCPT
from localhost[127.0.0.1]: 554 5.7.1 <[hidden email]>: Relay
access denied; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<fonville-it.nl>
Jan  3 14:37:13 server01 postfix/smtpd[9110]: disconnect from
localhost[127.0.0.1]

No particular logging is present, /var/log/mail.log only shows what is
also visible in the telnet session

>> mydestination =
> This is likely to be wrong. I can see you're using virtual mailboxes,
> but not having any local domains at all is odd.
I removed these in the many attempts

>> mynetworks = 0.0.0.0
> This is *definitely* very wrong! smtpd_recipient_restrictions will
> allow ANY client in mynetworks to relay mail to any destination. I
> don't know if using smtpd_reject_unlisted_sender would prevent
> anything going wrong here, but this is likely to make you an open
> relay.
I am aware of open relay, that's why it is no longer internet accessible


Thanks a lot for all the help so far

Regards,

Serge Fonivlle
--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
>> I *think* the short, correct answer is to use a policy server:
>> http://www.postfix.org/SMTPD_POLICY_README.html
> I will look into those then
I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do
not see how I can use this to solve my problem.
Perhaps I am missing something...

Any help is greatly appreciated

Regards,

Serge Fonville

--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Wietse Venema
Serge Fonville:
> >> I *think* the short, correct answer is to use a policy server:
> >> http://www.postfix.org/SMTPD_POLICY_README.html
> > I will look into those then
> I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do
> not see how I can use this to solve my problem.
> Perhaps I am missing something...
>
> Any help is greatly appreciated

The policy server can reject mail from a remote network with a
local sender address.

Isn't that what you want?

As an added bonus, it can also reject mail from a local network
with a remote sender address. This can help to stop outbound spam
from zombie-infested PCs.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
Wietse,

Thx for the reply

> The policy server can reject mail from a remote network with a
> local sender address.
>
> Isn't that what you want?
>
> As an added bonus, it can also reject mail from a local network
> with a remote sender address. This can help to stop outbound spam
> from zombie-infested PCs.

Yes exactly.

I read into the page again and it seems to be suitable for my purpose.
Unfortunately it also seems to mean I have to write my own policy server..
At least I have a starting point from now on.

Thanks a lot for the help!

Regards,

Serge Fonville




--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

/dev/rob0
In reply to this post by Barney Desmond
On Sun, Jan 03, 2010 at 09:58:15PM +1100, Barney Desmond wrote:
> > mynetworks = 0.0.0.0
> This is *definitely* very wrong! smtpd_recipient_restrictions will
> allow ANY client in mynetworks to relay mail to any destination. I

While it was intended, no doubt, to be very wrong, it failed. Lacking
a valid CIDR expression, that only matches the single IPv4 address of
0.0.0.0, which, having special meaning in networking, is unroutable.
A setting of equivalent functionality is "mynetworks =".

The OP would be well advised to review the BASIC_CONFIGURATION_README,
listing in $mynetworks the client networks which should be allowed to
relay.

If the OP does not wish to allow any to relay on the basis of IP
address unless using a "local sender", as the $SUBJECT suggests, the
solution is pretty simple.

main.cf :
mynetworks = real.IP.add.ress/CIDR[, ...]
smtpd_recipient_restrictions = reject_unlisted_sender,
    permit_mynetworks, permit_sasl_authenticated,
    reject_unauth_destination[, ...]

> don't know if using smtpd_reject_unlisted_sender would prevent
> anything going wrong here, but this is likely to make you an open
> relay.

If the wrong thing had been done correctly ;) I think this would have
worked too, that is, if I understood the OP's goal correctly.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: How to ensure that either FROM or TO is local

Serge Fonville
Thx for the reply.

> While it was intended, no doubt, to be very wrong, it failed. Lacking
> a valid CIDR expression, that only matches the single IPv4 address of
> 0.0.0.0, which, having special meaning in networking, is unroutable.
> A setting of equivalent functionality is "mynetworks =".
>
> The OP would be well advised to review the BASIC_CONFIGURATION_README,
> listing in $mynetworks the client networks which should be allowed to
> relay.
I read all the postfix docs I could find...

> If the OP does not wish to allow any to relay on the basis of IP
> address unless using a "local sender", as the $SUBJECT suggests, the
> solution is pretty simple.
>
> main.cf :
> mynetworks = real.IP.add.ress/CIDR[, ...]
> smtpd_recipient_restrictions = reject_unlisted_sender,
>    permit_mynetworks, permit_sasl_authenticated,
>    reject_unauth_destination[, ...]
This did not seem to work as expected.

>> don't know if using smtpd_reject_unlisted_sender would prevent
>> anything going wrong here, but this is likely to make you an open
>> relay.
>
> If the wrong thing had been done correctly ;) I think this would have
> worked too, that is, if I understood the OP's goal correctly.

I'm using a virtual transport for all my mail.
With local mail I meant all mail that goes through this transport.
To verify the 'local' users I use LDAP. It contains all my users and
their email addresses.

So basically, what my 'ideal' configuration would offer

If someone from a none private IP (or localhost) tries to send a mail
it is required to have a recipient that is part of the service that
offers the virtual transport (this way internal people can send to
each other and to people outside the interna; environment.
When someone from a public IP tries to send a mail it is required that
the sender is an unkown address and the recipient is known.

This (I believe) can be resolved by using either two instances. or
some sort of policy daemon.

What I currently don't know is how I would go about and resolve this.

I hope I have clarified any euhh... unclarities

Thanks a lot!

Regards,

Serge Fonville
--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en