Postfix restriction

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Dan
Reply | Threaded
Open this post in threaded view
|

Postfix restriction

Dan

Dear all,
I like to restrict some internal mailboxes so that only a list of domains can send mails to this mailbox.

Users should be able to get outside mails normally.

 

I’ve found this on postfix.org:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        ...
        check_recipient_access hash:/etc/postfix/protected_destinations
        ...the usual stuff...
 
    smtpd_restriction_classes = insiders_only
    insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
 
/etc/postfix/protected_destinations:
    [hidden email]   insiders_only
    [hidden email] insiders_only
 
/etc/postfix/insiders:
    my.domain       OK  matches my.domain and subdomains
    another.domain  OK  matches another.domain and subdomains

 

 

 

Which is working, but after creating the hash tables like in this example, other users won’t get new mails from outside.

All other mails are rejected in the logs with “server configuration error”

 

For the users and domains I use these settings with cyrus-imapd:

 

virtual_transport = lmtp:unix:/local/socket/lmtp

virtual_alias_maps = hash:/etc/postfix/virtual_recipients

virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains

 

virtual_mailbox_domains contain our domains in a table like “company01.de OK”

 

If I set these settings

 

#   smtpd_restriction_classes = insiders_only

#   insiders_only = check_sender_access hash:/etc/postfix/insiders, reject

#   check_recipient_access hash:/etc/postfix/protected_destinations

 

Cat protected_destinations

[hidden email]        insiders_only

 

Cat insiders

Domain.com OK

 

It’s possible to restrict only 2 mailboxes and do not prevent that the normal mailflow will be cut off?

 

Best Regards

David

 

Reply | Threaded
Open this post in threaded view
|

Re: Postfix restriction

Viktor Dukhovni
On Sat, Feb 13, 2021 at 08:49:56PM +0100, Dan wrote:

> /etc/postfix/main.cf:
>     smtpd_recipient_restrictions =
>         ...
>         check_recipient_access hash:/etc/postfix/protected_destinations
>         ...the usual stuff...
>  
>     smtpd_restriction_classes = insiders_only
>     insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
>  
> /etc/postfix/protected_destinations:
>     [hidden email]   insiders_only
>     [hidden email] insiders_only
>  
> /etc/postfix/insiders:
>     my.domain       OK  matches my.domain and subdomains
>     another.domain  OK  matches another.domain and subdomains

> Which is working, but after creating the hash tables like in this example, other users won’t get new mails from outside.
>
> All other mails are rejected in the logs with “server configuration error”

Fix the "server configuration error" detailed in your logs.

--
    Viktor.
Dan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix restriction

Dan
Okay how to solve this?
Here the logs attached.
It looks like that postfix don't know to handle other users.
If I send from allowed domains which I entered in the protected_destinations it works.
If I send a mail from gmail:

Feb 13 21:44:06 CGSG postfix/smtpd[8296]: Anonymous TLS connection established from mail-wr1-f49.google.com[209.85.221.49]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Feb 13 21:44:06 CGSG postfix/smtpd[8296]: warning: unknown smtpd restriction: "smtpd_restriction_classes"
Feb 13 21:44:06 CGSG postfix/smtpd[8296]: NOQUEUE: reject: RCPT from mail-wr1-f49.google.com[209.85.221.49]: 451 4.3.5 Server configuration error; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail-wr1-f49.google.com>


From allowed side it looks like:

Feb 13 21:43:21 CGSG postfix/qmgr[8269]: 667C17E0061: from=<[hidden email]>, size=2441, nrcpt=1 (queue active)
Feb 13 21:43:21 CGSG cyrus/lmtpchroot[8287]: Delivered: <[hidden email]> to mailbox: domain.net!user.test

Any ideas?
Best Regards
David Faller

Am 13.02.21, 21:40 schrieb "Viktor Dukhovni" <[hidden email] im Auftrag von [hidden email]>:

    On Sat, Feb 13, 2021 at 08:49:56PM +0100, Dan wrote:

    > /etc/postfix/main.cf:
    >     smtpd_recipient_restrictions =
    >         ...
    >         check_recipient_access hash:/etc/postfix/protected_destinations
    >         ...the usual stuff...
    >  
    >     smtpd_restriction_classes = insiders_only
    >     insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
    >  
    > /etc/postfix/protected_destinations:
    >     [hidden email]   insiders_only
    >     [hidden email] insiders_only
    >  
    > /etc/postfix/insiders:
    >     my.domain       OK  matches my.domain and subdomains
    >     another.domain  OK  matches another.domain and subdomains

    > Which is working, but after creating the hash tables like in this example, other users won’t get new mails from outside.
    >
    > All other mails are rejected in the logs with “server configuration error”

    Fix the "server configuration error" detailed in your logs.

    --
        Viktor.


Reply | Threaded
Open this post in threaded view
|

Re: Postfix restriction

Viktor Dukhovni
On Sat, Feb 13, 2021 at 09:56:52PM +0100, Dan wrote:

> It looks like that postfix don't know to handle other users.

No, rather you have a syntax error in your main.cf file.

> Okay how to solve this?

Fix the syntax error.

> Here the logs attached.

> If I send a mail from gmail:
>
> Feb 13 21:44:06 CGSG postfix/smtpd[8296]: warning: unknown smtpd restriction: "smtpd_restriction_classes"
> Feb 13 21:44:06 CGSG postfix/smtpd[8296]: NOQUEUE: reject: RCPT from mail-wr1-f49.google.com[209.85.221.49]: 451 4.3.5 Server configuration error; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail-wr1-f49.google.com>

You have "smtpd_restriction_classes" in the wrong place.

>
>     > /etc/postfix/main.cf:
>     >     smtpd_recipient_restrictions =
>     >         ...
>     >         check_recipient_access hash:/etc/postfix/protected_destinations
>     >         ...the usual stuff...
>     >  
>     >     smtpd_restriction_classes = insiders_only
>     >     insiders_only = check_sender_access hash:/etc/postfix/insiders, reject

There must be leading whitespace in front of "smtpd_restriction_classes", as
you would see if you use "postconf -nf", rather than just pasting the file
content.  You can see just the problem settings with:

    # postconf -n | grep smtpd_restriction_classes

--
    Viktor.
Dan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix restriction

Dan
Thank you, this solves the issue
Have a nice evening __

Am 13.02.21, 22:12 schrieb "Viktor Dukhovni" <[hidden email] im Auftrag von [hidden email]>:

    On Sat, Feb 13, 2021 at 09:56:52PM +0100, Dan wrote:

    > It looks like that postfix don't know to handle other users.

    No, rather you have a syntax error in your main.cf file.

    > Okay how to solve this?

    Fix the syntax error.

    > Here the logs attached.

    > If I send a mail from gmail:
    >
    > Feb 13 21:44:06 CGSG postfix/smtpd[8296]: warning: unknown smtpd restriction: "smtpd_restriction_classes"
    > Feb 13 21:44:06 CGSG postfix/smtpd[8296]: NOQUEUE: reject: RCPT from mail-wr1-f49.google.com[209.85.221.49]: 451 4.3.5 Server configuration error; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail-wr1-f49.google.com>

    You have "smtpd_restriction_classes" in the wrong place.

    >
    >     > /etc/postfix/main.cf:
    >     >     smtpd_recipient_restrictions =
    >     >         ...
    >     >         check_recipient_access hash:/etc/postfix/protected_destinations
    >     >         ...the usual stuff...
    >     >  
    >     >     smtpd_restriction_classes = insiders_only
    >     >     insiders_only = check_sender_access hash:/etc/postfix/insiders, reject

    There must be leading whitespace in front of "smtpd_restriction_classes", as
    you would see if you use "postconf -nf", rather than just pasting the file
    content.  You can see just the problem settings with:

        # postconf -n | grep smtpd_restriction_classes

    --
        Viktor.