How to restrict sending to certain local addresses except when sent from mail server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

How to restrict sending to certain local addresses except when sent from mail server

Omniver
I have a mail server receiving internet mail for my primary domain and for a
few virtual domains.  I'm having some spam issues with internet mail coming
in for address@mydomain for addresses intended for use by local
tools/scripts which are listed in /etc/aliases.  Any ideas on how can I make
it that postfix accepts mail for these addressesI *only* if they were sent
by my mail server?  




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Wietse Venema
Omniver:
> I have a mail server receiving internet mail for my primary domain and for a
> few virtual domains.  I'm having some spam issues with internet mail coming
> in for address@mydomain for addresses intended for use by local
> tools/scripts which are listed in /etc/aliases.  Any ideas on how can I make
> it that postfix accepts mail for these addressesI *only* if they were sent
> by my mail server?  

A crude but simple solution:

- Add the server's IP address to Postfix mynetworks.

- Block some recipients if mail does not come from mynetworks:

    /etc/postfix/main.cf:
        smtpd_recipient_restrictions =
            permit_mynetworks
            check_recipient_access hash:/etc/postfix/recipient_access
            ...
            reject_unauth_destination
            ...

    /etc/postfix/recipient_access
        [hidden email] reject
        [hidden email] reject

Crude because it adds the server to mynetworks.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Omniver

Thanks for the reply, unfortunately the approach doesn’t seem to work for me.  It appears that that the regardless of the smtp_recipient_restrictions setting, that any addresses listed in /etc/aliases addressed to $mydomain is bypassing any blocking/filtering.  Is this expected behavior?


>
>> On Dec 10, 2017, at 4:22 PM, Wietse Venema <[hidden email]> wrote:
>>
>> Omniver:
>>> I have a mail server receiving internet mail for my primary domain and for a
>>> few virtual domains.  I'm having some spam issues with internet mail coming
>>> in for address@mydomain for addresses intended for use by local
>>> tools/scripts which are listed in /etc/aliases.  Any ideas on how can I make
>>> it that postfix accepts mail for these addressesI *only* if they were sent
>>> by my mail server?  
>>
>> A crude but simple solution:
>>
>> - Add the server's IP address to Postfix mynetworks.
>>
>> - Block some recipients if mail does not come from mynetworks:
>>
>>   /etc/postfix/main.cf:
>>       smtpd_recipient_restrictions =
>>    permit_mynetworks
>>    check_recipient_access hash:/etc/postfix/recipient_access
>>    ...
>>    reject_unauth_destination
>>    ...
>>
>>   /etc/postfix/recipient_access
>>       [hidden email] reject
>>       [hidden email] reject
>>
>> Crude because it adds the server to mynetworks.
>>
>> Wietse
>

Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Wietse Venema
Justin Peavey:
>
> Thanks for the reply, unfortunately the approach doesn?t seem to work for me.  It appears that that the regardless of the smtp_recipient_restrictions setting, that any addresses listed in /etc/aliases addressed to $mydomain is bypassing any blocking/filtering.  Is this expected behavior?
>

Your observation is flawed, or you made a mistake. The filter below
does not distinguish between recipient domains.

        Wietse

> >
> >> On Dec 10, 2017, at 4:22 PM, Wietse Venema <[hidden email]> wrote:
> >>
> >> Omniver:
> >>> I have a mail server receiving internet mail for my primary domain and for a
> >>> few virtual domains.  I'm having some spam issues with internet mail coming
> >>> in for address@mydomain for addresses intended for use by local
> >>> tools/scripts which are listed in /etc/aliases.  Any ideas on how can I make
> >>> it that postfix accepts mail for these addressesI *only* if they were sent
> >>> by my mail server?  
> >>
> >> A crude but simple solution:
> >>
> >> - Add the server's IP address to Postfix mynetworks.
> >>
> >> - Block some recipients if mail does not come from mynetworks:
> >>
> >>   /etc/postfix/main.cf:
> >>       smtpd_recipient_restrictions =
> >>    permit_mynetworks
> >>    check_recipient_access hash:/etc/postfix/recipient_access
> >>    ...
> >>    reject_unauth_destination
> >>    ...
> >>
> >>   /etc/postfix/recipient_access
> >>       [hidden email] reject
> >>       [hidden email] reject
> >>
> >> Crude because it adds the server to mynetworks.
> >>
> >> Wietse
> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Omniver
I appreciate that the filter does not distinguish between domains. Nonetheless, I see different filtering behavior for email destined for the domain listed in mydomain which also have entries in /etc/aliases vs. the domains listed as virtual domains.  

Sent from my TI-99/4A

> On Dec 14, 2017, at 06:58, Wietse Venema <[hidden email]> wrote:
>
> Justin Peavey:
>>
>> Thanks for the reply, unfortunately the approach doesn?t seem to work for me.  It appears that that the regardless of the smtp_recipient_restrictions setting, that any addresses listed in /etc/aliases addressed to $mydomain is bypassing any blocking/filtering.  Is this expected behavior?
>>
>
> Your observation is flawed, or you made a mistake. The filter below
> does not distinguish between recipient domains.
>
>    Wietse
>
>>>
>>>> On Dec 10, 2017, at 4:22 PM, Wietse Venema <[hidden email]> wrote:
>>>>
>>>> Omniver:
>>>>> I have a mail server receiving internet mail for my primary domain and for a
>>>>> few virtual domains.  I'm having some spam issues with internet mail coming
>>>>> in for address@mydomain for addresses intended for use by local
>>>>> tools/scripts which are listed in /etc/aliases.  Any ideas on how can I make
>>>>> it that postfix accepts mail for these addressesI *only* if they were sent
>>>>> by my mail server?  
>>>>
>>>> A crude but simple solution:
>>>>
>>>> - Add the server's IP address to Postfix mynetworks.
>>>>
>>>> - Block some recipients if mail does not come from mynetworks:
>>>>
>>>>  /etc/postfix/main.cf:
>>>>      smtpd_recipient_restrictions =
>>>>        permit_mynetworks
>>>>        check_recipient_access hash:/etc/postfix/recipient_access
>>>>        ...
>>>>        reject_unauth_destination
>>>>        ...
>>>>
>>>>  /etc/postfix/recipient_access
>>>>      [hidden email] reject
>>>>      [hidden email] reject
>>>>
>>>> Crude because it adds the server to mynetworks.
>>>>
>>>>    Wietse
>>>
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

anvartay
In reply to this post by Omniver
Haven't you tried postfix spf verification for your mail server with proper -all dns configuration for your domain?

Anvar Kuchkartaev 
[hidden email]
  Original Message  
From: Omniver
Sent: domingo, 10 de diciembre de 2017 21:07
To: [hidden email]
Subject: How to restrict sending to certain local addresses except when sent from mail server


I have a mail server receiving internet mail for my primary domain and for a
few virtual domains. I'm having some spam issues with internet mail coming
in for address@mydomain for addresses intended for use by local
tools/scripts which are listed in /etc/aliases. Any ideas on how can I make
it that postfix accepts mail for these addressesI *only* if they were sent
by my mail server?




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html


Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Wietse Venema
In reply to this post by Omniver
Justin Peavey:
> I appreciate that the filter does not distinguish between domains. Nonetheless, I see different filtering behavior for email destined for the domain listed in mydomain which also have entries in /etc/aliases vs. the domains listed as virtual domains.  
>
> Sent from my TI-99/4A

Well, then the conclusion is that you made a mistake. What mistake?
I won't try to guess.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Omniver
In reply to this post by Wietse Venema
I’ve spent more time reviewing and while my observations may be flawed, they do seem to be consistent.  What I continue to observe is that when an address is matched in /etc/alias, that the smtp_recipient_restrictions are not processed and therefore the suggested restrictions are not having any effect.

Here are excerpts from logs (-v on for smtp, cleanup, and trivial-rewrite), the two addresses tested are both marked as REJECT in recipient_access.  [hidden email] is not in /etc/aliases, [hidden email] is in /etc/aliases.  

with [hidden email], note third line from bottom where Recipient address restrictions are being processed.

Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: match_list_match: trashcan.org: no match
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: `' -> `[hidden email]' -> (`local' `vip.trashcan.org' `[hidden email]' `256')
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr flags = 0
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr transport = local
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr nexthop = vip.trashcan.org
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr recipient = [hidden email]
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: send attr flags = 256
Dec 23 16:06:34 ip-172-31-54-95 postfix/trivial-rewrite[13474]: master_notify: status 1
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: flags
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: flags
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: 0
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: transport
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: transport
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: local
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: nexthop
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: nexthop
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: vip.trashcan.org
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: recipient
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: recipient
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: [hidden email]
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: flags
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: flags
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute value: 256
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: private/rewrite socket: wanted attribute: (list terminator)
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: input attribute name: (end)
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: resolve_clnt: `' -> `[hidden email]' -> transp=`local' host=`vip.trashcan.org' [hidden email]' flags= class=local
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: ctable_locate: install entry key [hidden email]
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: extract_addr: in: <[hidden email]>, result: [hidden email]
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: >>> START Recipient address RESTRICTIONS <<<
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: generic_checks: name=permit_mynetworks
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: permit_mynetworks: mail-qt0-f171.google.com 209

With [hidden email] at the same point in the delivery logs,  it is clearly taking a different path and Recipient address restrictions are never launched. 

Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: `' -> `[hidden email]' -> (`local' `vip.trashcan.org' `[hidden email]' `256')
Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr flags = 0
Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr transport = local
Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr nexthop = vip.trashcan.org
Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr recipient = [hidden email]
Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: send attr flags = 256
Dec 23 14:32:40 ip-172-31-54-95 postfix/trivial-rewrite[12902]: master_notify: status 1
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: connection established
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: master_notify: status 0
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: mail_flow_get: 1 1
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: open incoming/5455260C59
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup_open: open incoming/5455260C59
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr queue_id = 5455260C59
Dec 23 14:32:41 ip-172-31-54-95 postfix/smtpd[12898]: 5455260C59: client=mail-qt0-f178.google.com[209.85.216.178]
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup socket: wanted attribute: flags
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: input attribute name: flags
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: input attribute value: 178
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup socket: wanted attribute: (list terminator)
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: input attribute name: (end)
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping enable_smtp_reply
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope T 1514039560 571966
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope L spamassassin
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope A log_ident=5455260C59
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope A rewrite_context=remote
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: initial envelope S xxx@addresshidden
Dec 23 14:32:41 ip-172-31-54-95 postfix/trivial-rewrite[12902]: connection established fd 129
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: connect to subsystem private/rewrite
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr request = rewrite
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr rule = local
Dec 23 14:32:41 ip-172-31-54-95 postfix/cleanup[12904]: send attr address = xxx@addresshidden
Dec 23 14:32:41 ip-172-31-54-95 postfix/trivial-rewrite[12902]: master_notify: status 0
Dec 23 14:32:41 ip-172-31-54-95 postfix/trivial-rewrite[12902]: rewrite socket: wanted attribute: request

I’ll re-ask, are addresses listed in /etc/aliases expected to bypass smtp_recipient_restrictions? 

If so, I’ll give up on this particular approach.  If not, I’ll keep trying to debug.

Thanks,
Justin


On Dec 14, 2017, at 6:58 AM, Wietse Venema <[hidden email]> wrote:

Justin Peavey:

Thanks for the reply, unfortunately the approach doesn?t seem to work for me.  It appears that that the regardless of the smtp_recipient_restrictions setting, that any addresses listed in /etc/aliases addressed to $mydomain is bypassing any blocking/filtering.  Is this expected behavior?


Your observation is flawed, or you made a mistake. The filter below
does not distinguish between recipient domains.

Wietse


On Dec 10, 2017, at 4:22 PM, Wietse Venema <[hidden email]> wrote:

Omniver:
I have a mail server receiving internet mail for my primary domain and for a
few virtual domains.  I'm having some spam issues with internet mail coming
in for address@mydomain for addresses intended for use by local
tools/scripts which are listed in /etc/aliases.  Any ideas on how can I make
it that postfix accepts mail for these addressesI *only* if they were sent
by my mail server?  

A crude but simple solution:

- Add the server's IP address to Postfix mynetworks.

- Block some recipients if mail does not come from mynetworks:

 /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
   permit_mynetworks
   check_recipient_access hash:/etc/postfix/recipient_access
   ...
   reject_unauth_destination
   ...

 /etc/postfix/recipient_access
     [hidden email] reject
     [hidden email] reject

Crude because it adds the server to mynetworks.

Wietse




Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Wietse Venema

Here is the start of evaluating smtpd_recipient_restrictions:

> Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: extract_addr: in: <[hidden email]>, result: [hidden email]
> Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: >>> START Recipient address RESTRICTIONS <<<
> Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: generic_checks: name=permit_mynetworks
> Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: permit_mynetworks: mail-qt0-f171.google.com 209
>
> With [hidden email] at the same point

You forgot to include the remaining postfix/smtpd[13472]:
records, including the record that marks the end of evaluating
smtpd_recipient_restrictions:

>>> END Recipient address RESTRICTIONS <<<

You forgot to include the smtpd logging for [hidden email], to
demonstrate the difference, if any.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Omniver
Hi Wietse,

The noted difference is for  bin[hidden email], smtpd_recipient_restrictions is never evaluated at all.  For [hidden email] there is no ‘START Recipient address RESTRICTIONS’ or any of the related logs for smtpd_recipient_restrictions.    For [hidden email], smtp_recipient_restrictions is processing properly as is noted in the log excerpt.  

The same behavior of smtpd_recipient_restrictions not processing occurs for any address that appears in /etc/aliases.  I’m happy to include more logs, but the key difference in behavior is as noted.  

My question is: is this expected behavior?  Is it expected that addresses which appear in /etc/aliases for the mydestination domain bypass smtpd_recipient_restrictions?

Thanks,
Justin


On Dec 23, 2017, at 5:22 PM, Wietse Venema <[hidden email]> wrote:


Here is the start of evaluating smtpd_recipient_restrictions:

Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: extract_addr: in: <[hidden email]>, result: [hidden email]
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: >>> START Recipient address RESTRICTIONS <<<
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: generic_checks: name=permit_mynetworks
Dec 23 16:06:34 ip-172-31-54-95 postfix/smtpd[13472]: permit_mynetworks: mail-qt0-f171.google.com 209

With [hidden email] at the same point

You forgot to include the remaining postfix/smtpd[13472]:
records, including the record that marks the end of evaluating
smtpd_recipient_restrictions:

END Recipient address RESTRICTIONS <<<

You forgot to include the smtpd logging for [hidden email], to
demonstrate the difference, if any.

Wietse

Reply | Threaded
Open this post in threaded view
|

Re: How to restrict sending to certain local addresses except when sent from mail server

Wietse Venema
Justin Peavey:
> Hi Wietse,
>
> The noted difference is for  [hidden email],
> smtpd_recipient_restrictions is never evaluated at all.  For

Show the smtpd logging.

        Wietse