Postfix Relay per host ACLs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix Relay per host ACLs

Stuart Archer

Morning All,

Apologies if this is trivial but I can't see it documented anywhere (although a few possible hints). I don't think this should be an odd requirement but who knows.

so: group of cloud machines all running various parts of an application for us. lets call them server0 - server99.cloud.com. All mail goes via a Postfix MTA mta.cloud.com. Now, all these servers should be able to send email to us internally @example.com.

Except for some servers, say email0 and email1.cloud.com, which send email out to customers, so need to relay everywhere

And chuck in a SAN san.cloud.com that needs to email its support address for failed disks etc: [hidden email]


I can;t figure this out. I can see some restrictions based on sender address or recipient address but thats too refined. Possibly we can do this with my_networks and access lists but not clear. Basically, I need to get email from everything but only specific servers should be able to send email to domains outside our remit.

Any pointers to what I'm missing would be massively appreciated.

Stu


Reply | Threaded
Open this post in threaded view
|

Re: Postfix Relay per host ACLs

Wietse Venema
Stuart Archer:
> Morning All,
>
> Apologies if this is trivial but I can't see it documented anywhere
> (although a few possible hints). I don't think this should be an odd
> requirement but who knows.

Simplest is to eliminate some hosts or network ranges from mynetworks,
so they won't be allowed to send off-site email.

    mynetworks = !1.2.3.0/24, 1.2.0.0/16, ...

Setting up an email firewall based on client, sender, recipient,
etc.  needs something like www.postfwd.org.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Relay per host ACLs

Stuart Archer
Ok thanks Wietse.

I do need all machines to be able to send outside the network, since our
email domain is separate (physically and logically/namespace), its just
that some should be able to email everywhere.

I had assumed this would be a built in function to Postfix but sounds
like anything will be a hack of sorts. will take a look at postfwd.
thanks for the help.

Stu



On 08/01/2018 17:56, Wietse Venema wrote:

> Stuart Archer:
>> Morning All,
>>
>> Apologies if this is trivial but I can't see it documented anywhere
>> (although a few possible hints). I don't think this should be an odd
>> requirement but who knows.
> Simplest is to eliminate some hosts or network ranges from mynetworks,
> so they won't be allowed to send off-site email.
>
>      mynetworks = !1.2.3.0/24, 1.2.0.0/16, ...
>
> Setting up an email firewall based on client, sender, recipient,
> etc.  needs something like www.postfwd.org.
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Relay per host ACLs

Viktor Dukhovni


> On Jan 9, 2018, at 7:30 AM, Stuart Archer <[hidden email]> wrote:
>
> I had assumed this would be a built in function to Postfix but sounds like anything will be a hack of sorts. will take a look at postfwd. thanks for the help.

Wietse's answer is correct and sufficient.  Put the machines that
can send to everyone in "mynetworks".  Exclude the rest.  Then
add any destination domains or addresses that everyone can send
to in a recipient access table before "reject_unauth_destination".

   indexed = ${default_database_type}:${config_directory}/
   smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_recipient_access ${indexed}global-recipients,
        reject_unauth_destination

The global-recipients table can just be:

        [hidden email] OK

if your MTA port 25 is not reachable via the public Internet, or
else can be:

        [hidden email] allow-internal

where "allow-internal" is a suitable "restriction class" that
permits more machines from your network than does "mynetworks".
See RESTRICTION_CLASS_README and cidr_table(5).

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Relay per host ACLs

Stuart Archer
Thanks Viktor.

Ok. I had to read this about ten times but see what you are saying :)

Can i use a wildcard in global-recipients ?

Stu


On 09/01/2018 14:34, Viktor Dukhovni wrote:

>
>> On Jan 9, 2018, at 7:30 AM, Stuart Archer <[hidden email]> wrote:
>>
>> I had assumed this would be a built in function to Postfix but sounds like anything will be a hack of sorts. will take a look at postfwd. thanks for the help.
> Wietse's answer is correct and sufficient.  Put the machines that
> can send to everyone in "mynetworks".  Exclude the rest.  Then
> add any destination domains or addresses that everyone can send
> to in a recipient access table before "reject_unauth_destination".
>
>     indexed = ${default_database_type}:${config_directory}/
>     smtpd_relay_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_recipient_access ${indexed}global-recipients,
> reject_unauth_destination
>
> The global-recipients table can just be:
>
> [hidden email] OK
>
> if your MTA port 25 is not reachable via the public Internet, or
> else can be:
>
> [hidden email] allow-internal
>
> where "allow-internal" is a suitable "restriction class" that
> permits more machines from your network than does "mynetworks".
> See RESTRICTION_CLASS_README and cidr_table(5).
>

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Relay per host ACLs

Viktor Dukhovni


> On Jan 10, 2018, at 12:07 PM, Stuart Archer <[hidden email]> wrote:
>
> Can i use a wildcard in global-recipients ?

The lookup keys for access(5) tables with check_recipient_access are:

  http://www.postfix.org/access.5.html

  EMAIL ADDRESS PATTERNS

       With lookups from indexed files such as DB or DBM,  or  from  networked
       tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
       listed below:

       user@domain
              Matches the specified mail address.

       domain.tld
              Matches domain.tld as the domain part of an email address.

              The pattern domain.tld also matches subdomains,  but  only  when
              the  string  smtpd_access_maps  is  listed  in  the Postfix par-
              ent_domain_matches_subdomains configuration setting.

       .domain.tld
              Matches subdomains of  domain.tld,  but  only  when  the  string
              smtpd_access_maps   is   not   listed   in   the   Postfix  par-
              ent_domain_matches_subdomains configuration setting.

       user@  Matches all mail addresses with the specified user part.

       Note: lookup of the null sender address is not possible with some types
       of lookup table. By default, Postfix uses <> as the lookup key for such
       addresses. The value is specified with the smtpd_null_access_lookup_key
       parameter in the Postfix main.cf file.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Relay per host ACLs

Wietse Venema
Viktor Dukhovni:

>
>
> > On Jan 10, 2018, at 12:07 PM, Stuart Archer <[hidden email]> wrote:
> >
> > Can i use a wildcard in global-recipients ?
>
>   http://www.postfix.org/access.5.html
>
>   EMAIL ADDRESS PATTERNS
>        user@domain ...
>        domain.tld ...
>        .domain.tld ...
>        user@ ...

However, you specify arbitrary patterns in regexp: or prce: tables.
In this case Postfix will query only with the full email address
user@domain, not the partial forms domain.tld, .domain.tld, user@.

        Wietse