Postfix and Hylafax faxmail - part 2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix and Hylafax faxmail - part 2

Michael Hallager
What I want to achieve now is to ONLY allow authenticated clients (via SASL)
to send to the fax email address...

How can this be achieved?

---------------------------------------------------
In my master.cf I have the following-

fax       unix  -       n       n       -       1       pipe
        flags= user=uucp argv=/usr/local/bin/faxmail -d -n ${user}

In my main.cf I have the following-

smtpd_recipient_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unauth_pipelining,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        permit

I did also have-

       reject_unknown_recipient_domain,

however this conflicted with messages to the 'fax' handler.

How can I reinstate 'reject_unknown_recipient_domain' for all mail except the
fax handler?
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Hylafax faxmail - part 2

Noel Jones-2
Michael wrote:
> What I want to achieve now is to ONLY allow authenticated clients (via SASL)
> to send to the fax email address...
>
> How can this be achieved?


In your recipients table, rather than:
faxdomain  OK

use instead:
faxdomain  permit_sasl_authenticated

If you want to also allow unauthenticated clients in
$mynetworks, you can use:
faxdomain  permit_mynetworks, permit_sasl_authenticated


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Hylafax faxmail - part 2

Michael Hallager
On Wed, 20 Aug 2008 02:20:23 Noel Jones wrote:

> Michael wrote:
> > What I want to achieve now is to ONLY allow authenticated clients (via
> > SASL) to send to the fax email address...
> >
> > How can this be achieved?
>
> In your recipients table, rather than:
> faxdomain  OK
>
> use instead:
> faxdomain  permit_sasl_authenticated
>
> If you want to also allow unauthenticated clients in
> $mynetworks, you can use:
> faxdomain  permit_mynetworks, permit_sasl_authenticated

Thanks. Is there any way I can skip the recipients table and just add this in
to main.cf under smtpd_recipient_restrictions ?
Reply | Threaded
Open this post in threaded view
|

RE: Postfix and Hylafax faxmail - part 2

Noel Jones-2
In reply to this post by Michael Hallager
-----Original Message-----
From: Michael <[hidden email]>
Sent: Tuesday, August 19, 2008 6:19 PM
To: postfix users list <[hidden email]>
Subject: Re: Postfix and Hylafax faxmail - part 2

On Wed, 20 Aug 2008 02:20:23 Noel Jones wrote:

> Michael wrote:
> > What I want to achieve now is to ONLY allow authenticated clients (via
> > SASL) to send to the fax email address...
> >
> > How can this be achieved?
>
> In your recipients table, rather than:
> faxdomain  OK
>
> use instead:
> faxdomain  permit_sasl_authenticated
>
> If you want to also allow unauthenticated clients in
> $mynetworks, you can use:
> faxdomain  permit_mynetworks, permit_sasl_authenticated

Thanks. Is there any way I can skip the recipients table and just add this in
to main.cf under smtpd_recipient_restrictions ?

------------------

No.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Hylafax faxmail

Michael Hallager
In reply to this post by Michael Hallager
On Thu, 21 Aug 2008 02:12:02 Dave wrote:
> Hi,
> Do you have any notes on this setup? I'd like to get pointed on the right
> path.
> Thanks.
> Dave.

http://www.postfix.org/faq.html#fax

For reference here are my files:

master.cf

fax       unix  -       n       n       -       1       pipe
        flags=X user=uucp argv=/usr/local/bin/faxmail -d -n -N -T ${user}

I added in the -N and -T switches to prevent the generation of an extra
covering page with sender's details.
'user=' is whoever runs the hfaxd process. Make sure that faxmail is chmod 755
and owned by this user/group.

transport (use 'postconf transport' after making any changes)
fax.domain.tld fax:localhost

main.cf
smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/recipient_access

recipient_access (use 'postconf recipient_access' after making any changes)

recipient_access =
        fax.domain.tld     permit_mynetworks, permit_sasl_authenticated

This permits only clients who are on the local network *or* SASL authenticated
to use the fax service. This is a good insurance against outsiders (who
having discovered or guessed at the email address) using your fax service.
Note that SASL is not standard with source builds (or any binary package) of
Postfix. You will need to check that yours has this enabled.

Other notes:
fax.domain.tld does NOT need to be in DNS, and probably shouldn't be, unless
you need to access this service using mail originating from another mail
server.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Hylafax faxmail - small addition

Michael Hallager
In reply to this post by Michael Hallager
On Thu, 21 Aug 2008 02:12:02 Dave wrote:
> Hi,
> Do you have any notes on this setup? I'd like to get pointed on the right
> path.
> Thanks.
> Dave.

http://www.postfix.org/faq.html#fax

For reference here are my files:

master.cf

fax       unix  -       n       n       -       1       pipe
        flags=X user=uucp argv=/usr/local/bin/faxmail -d -n -N -T ${user}

I added in the -N and -T switches to prevent the generation of an extra
covering page with sender's details.
'user=' is whoever runs the hfaxd process. Make sure that faxmail is chmod 755
and owned by this user/group.

transport (use 'postconf transport' after making any changes)
fax.domain.tld fax:localhost

main.cf

transport_maps = hash:/etc/postfix/transport
fax_destination_recipient_limit = 1

smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/recipient_access

recipient_access (use 'postconf recipient_access' after making any changes)

recipient_access =
        fax.domain.tld     permit_mynetworks, permit_sasl_authenticated

This permits only clients who are on the local network *or* SASL authenticated
to use the fax service. This is a good insurance against outsiders (who
having discovered or guessed at the email address) using your fax service.
Note that SASL is not standard with source builds (or any binary package) of
Postfix. You will need to check that yours has this enabled.

Other notes:
fax.domain.tld does NOT need to be in DNS, and probably shouldn't be, unless
you need to access this service using mail originating from another mail
server.