Need this rule: Everybody may receive from specific address / a few may receive from any address or domain

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Need this rule: Everybody may receive from specific address / a few may receive from any address or domain

rdquiterio
This post was updated on .
Hi;

I've been using postfix for several years as a relay but never used it to
restrict inbound mail, since it is done by an anti-spam appliance.

But now, we need to implement an inbound rule like this:

 1. Everybody on our domain should be allowed to (only) receive email form a
specific sender (abc@xyz.com) - i.e. notifications
 2. A few users should be allowed to both send and receive email from/to any sender or
domain.

It seems to me that it is possible to achieve with smtpd restrictions, but I
cannot figure out how to assemble senders and recipients parameters in
main.cf.

Any help would be appreciated.

Thanks for your time.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Need this rule: Everybody may receive from specific address / a few may receive from any address or domain

Wietse Venema
rdquiterio:

> Hi;
>
> I've been using postfix for several years as a relay but never used it to
> restrict inbound mail, since it is done by an anti-spam appliance.
>
> But now, we need to implement an inbound rule like this:
>
>  1. Everybody on our domain should be allowed to receive email form a
> specific sender ([hidden email]) - i.e. notifications
>  2. A few users should be allowed to receive email from any sender or
> domain.
>
> It seems to me that it is possible to achieve with smtpd restrictions, but I
> cannot figure out how to assemble senders and recipients parameters in
> main.cf.

Short answer: see the examples in
http://www.postfix.org/RESTRICTION_CLASS_README.html

Long answer: sorry, that would take more time than I have.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Need this rule: Everybody may receive from specific address / a few may receive from any address or domain

rdquiterio
I already did it, but I will try once more.

Thanks anyway. :)



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Need this rule: Everybody may receive from specific address / a few may receive from any address or domain

Bob Proulx
In reply to this post by rdquiterio
rdquiterio wrote:
> I've been using postfix for several years as a relay but never used it to
> restrict inbound mail, since it is done by an anti-spam appliance.
>
> But now, we need to implement an inbound rule like this:

If inbound mail is already restricted by an anti-spam appliance then
isn't this going to need to configure the anti-spam appliance for it
and not your Postfix configuration?  Because otherwise nothing you do
in Postfix will have any effect.  Right?

And then if you open up the anti-spam appliance then do you need any
configuration change for Postfix?  If the defense was there then
wouldn't adjusting the rules in the anti-spam appliance be enough?

If you are thinking of removing the anti-spam appliance then setting
up Postfix is almost like a fresh configuration question of how should
you set up the full anti-spam in Postfix, right?

>  1. Everybody on our domain should be allowed to receive email form a
> specific sender ([hidden email]) - i.e. notifications
>  2. A few users should be allowed to receive email from any sender or
> domain.

I am not really a Postfix expert.  I myself come here for help.  I am
but a simple and grateful user of Postfix.  But if it were me I would
have this following abbreviated configuration.  I'll trim it from mine
somewhat and then let the actually knowledgeable folks correct my poor
and feeble attempt at helping.

Please do not use "abc at xyz.com" as an example email address as that
is a valid domain name!  Use example.com when needing an example name.
That way it will not collide with a real live in use valid name.

In recipient-access file, add your all-spam-to users here:

    abuse@ OK
    postmaster@ OK

In sender-access file, add your approved sending domains:
I do NOT approve of this but it is exactly what you asked for!

    example.com OK

Use 'postmap' to update the two map files above to db names.

    postmap recipient-access
    postmap sender-access

In main.cf file:

    smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_unauth_destination,
        check_sender_access hash:/etc/postfix/sender-access,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        check_recipient_access hash:/etc/postfix/recipient-access,
        reject_rbl_client zen.spamhaus.org

If you are using /etc/postfix elsewhere such as /usr/local/etc/postfix
then adjust all paths accordingly.

This does not have all of the configuration I would recommend.  But
perhaps the minimum amount that I would tolerate.  Perhaps a starting
place at best.

> It seems to me that it is possible to achieve with smtpd restrictions, but I
> cannot figure out how to assemble senders and recipients parameters in
> main.cf.
>
> Any help would be appreciated.
>
> Thanks for your time.

Hope this helps!
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Need this rule: Everybody may receive from specific address / a few may receive from any address or domain

rdquiterio
Hi Bob;

You are right. The problem is that I cannot implement both conditions in my
antisspam proxy (ASSP). I can do the second condition but not both. So,
currently, the appliance is allowing any mail to and from our recipients.

Your suggestions will almost surely solve my problem.

I just forgot to mention that I want those who are allowed to receive to be
also allowed to send to anybody. For that, I think will I need something
like:    

   smtpd_sender_restrictions
    …
    check_sender_access hash:/etc/postfix/sender-access
   …
   any other prameters??

Thank you very much. You gave me a big help.
Rafael



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html