Question on restriction class

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on restriction class

chteh
Dear all postfix users,

Good day to everyone.
Is it possible to restrict a user or alias email account to receive
email only from certain email address?
For example:
[hidden email] can receive email only from [hidden email], and the
rest email send to this [hidden email] will be blocked.

Thanks.


--

Best regards,

Simon Teh

Network and System Administrator
National Advanced IPv6
Centre of Excellence,
School of Computer Science,
Universiti Sains Malaysia

Reply | Threaded
Open this post in threaded view
|

Re: Question on restriction class

mouss-2
chteh wrote:
> Dear all postfix users,
>
> Good day to everyone.
> Is it possible to restrict a user or alias email account to receive
> email only from certain email address?
> For example:
> [hidden email] can receive email only from [hidden email], and the
> rest email send to this [hidden email] will be blocked.

smtpd_restrictions_classes =  restricted_recipient

#note: this is in smtpd_SENDER_restrictions to avoid becoming an open
relay because of the "OK" below.
smtpd_sender_restrictions =
    check_recipient_access hash:/etc/postfix/restricted_recipient


restricted_recipient =
    check_sender_access hash:/etc/postfix/privileged_sender
    reject

== restricted_recipient:
[hidden email]         restricted_recipient

== privileged_sender
[hidden email]         OK



Reply | Threaded
Open this post in threaded view
|

Re: Question on restriction class

chteh
Dear Mouss,

Thanks for your reply.
Actually before i sent the first email, i did the similar configuration
on my mail server (main.cf), but the result has shown that the email
will only be blocked if the domain is different. The email send from the
local user is still not block by the mail server.
for example:
== restricted_recipient:
[hidden email] <mailto:[hidden email]>         restricted_recipient

== privileged_sender
[hidden email] <mailto:[hidden email]>         OK


The outcome:
Email from gmail.com or others domain to [hidden email] will be
blocked. (expected result)
Email from [hidden email] to [hidden email], is allow. (expected result)
Email from [hidden email] to [hidden email] is allow too. (unexpected
result)

Below is my mail server configuration, please correct me if I making any
mistake. Thanks.
--------------------------------------------------------------------------------------------
smtpd_restriction_classes= insiders_only
insiders_only=
        check_sender_access hash:/etc/postfix/insiders
        reject

smtpd_recipient_restrictions=
        permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination
        check_policy_service unix:/var/spool/postfix/postgrey/socket
        reject_unknown_recipient_domain
        check_recipient_access hash:/etc/postfix/recipient_access
        permit

smtpd_sender_restrictions =
        permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/sender_access
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        permit
-----------------------------------------------------------------------------------------------------------
==insiders==
[hidden email]  OK

==sender_access==
[hidden email]  insiders_only


Thanks again.

--

Best regards,

Simon Teh

Network and System Administrator
National Advanced IPv6
Centre of Excellence,
School of Computer Science,
Universiti Sains Malaysia



mouss wrote:

> chteh wrote:
>> Dear all postfix users,
>>
>> Good day to everyone.
>> Is it possible to restrict a user or alias email account to receive
>> email only from certain email address?
>> For example:
>> [hidden email] can receive email only from [hidden email], and the
>> rest email send to this [hidden email] will be blocked.
>
> smtpd_restrictions_classes =  restricted_recipient
>
> #note: this is in smtpd_SENDER_restrictions to avoid becoming an open
> relay because of the "OK" below.
> smtpd_sender_restrictions =
>    check_recipient_access hash:/etc/postfix/restricted_recipient
>
>
> restricted_recipient =
>    check_sender_access hash:/etc/postfix/privileged_sender
>    reject
>
> == restricted_recipient:
> [hidden email]         restricted_recipient
>
> == privileged_sender
> [hidden email]         OK
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Question on restriction class

mouss-2
chteh wrote:

> Dear Mouss,
>
> Thanks for your reply.
> Actually before i sent the first email, i did the similar
> configuration on my mail server (main.cf),but the result has shown
> that the email will only be blocked if the domain is different. The
> email send from the local user is still not block by the mail server.
> for example:
> == restricted_recipient:
> [hidden email] <mailto:[hidden email]>         restricted_recipient
>
> == privileged_sender
> [hidden email] <mailto:[hidden email]>         OK
>
>
> The outcome:
> Email from gmail.com or others domain to [hidden email] will be
> blocked. (expected result)
> Email from [hidden email] to [hidden email], is allow. (expected result)
> Email from [hidden email] to [hidden email] is allow too.
> (unexpected result)

if you put permit_mynetworks before, do not be surprised if mail passes.


>
> Below is my mail server configuration, please correct me if I making
> any mistake. Thanks.

Please use the config that I posted and see if it does what you want.
the config I posted does not contain much stuff under
smtpd_sender_restrictions (and it does not involve
smtpd_recipient_restrictions).

> --------------------------------------------------------------------------------------------
>
> smtpd_restriction_classes= insiders_only
> insiders_only=
>        check_sender_access hash:/etc/postfix/insiders
>        reject
>
> smtpd_recipient_restrictions=
>        permit_sasl_authenticated
>        permit_mynetworks
>        reject_unauth_destination
>        check_policy_service unix:/var/spool/postfix/postgrey/socket
>        reject_unknown_recipient_domain

This is useless as it will check your own domains
(reject_unauth_destination has already rejected other domains).


>        check_recipient_access hash:/etc/postfix/recipient_access
>        permit
>
> smtpd_sender_restrictions =
>        permit_sasl_authenticated
>        permit_mynetworks


your permit_* here will pass mail to the restricted domain from any user
if authenticated or if the mail comes from mynetworks.


>        reject_unauth_destination
>        check_recipient_access hash:/etc/postfix/sender_access


Calling a recipient map "sender_access" is calling for trouble... It's
not a problem, but it lay become one some day.


>        reject_non_fqdn_sender
>        reject_unknown_sender_domain
>        permit
> -----------------------------------------------------------------------------------------------------------
>
> ==insiders==
> [hidden email]  OK
>
> ==sender_access==
> [hidden email]  insiders_only
>
>
> Thanks again.
>

Reply | Threaded
Open this post in threaded view
|

Re: Question on restriction class[solved]

chteh
Dear Mouss,

Thanks again for your help.
Yes, you have pointed out my mistake. It is now working!
Long live postfix :-)

--

Best regards,

Simon Teh

Network and System Administrator
National Advanced IPv6
Centre of Excellence,
School of Computer Science,
Universiti Sains Malaysia



mouss wrote:

> chteh wrote:
>> Dear Mouss,
>>
>> Thanks for your reply.
>> Actually before i sent the first email, i did the similar
>> configuration on my mail server (main.cf),but the result has shown
>> that the email will only be blocked if the domain is different. The
>> email send from the local user is still not block by the mail server.
>> for example:
>> == restricted_recipient:
>> [hidden email] <mailto:[hidden email]>         restricted_recipient
>>
>> == privileged_sender
>> [hidden email] <mailto:[hidden email]>         OK
>>
>>
>> The outcome:
>> Email from gmail.com or others domain to [hidden email] will be
>> blocked. (expected result)
>> Email from [hidden email] to [hidden email], is allow. (expected
>> result)
>> Email from [hidden email] to [hidden email] is allow too.
>> (unexpected result)
>
> if you put permit_mynetworks before, do not be surprised if mail passes.
>
>
>>
>> Below is my mail server configuration, please correct me if I making
>> any mistake. Thanks.
>
> Please use the config that I posted and see if it does what you want.
> the config I posted does not contain much stuff under
> smtpd_sender_restrictions (and it does not involve
> smtpd_recipient_restrictions).
>
>> --------------------------------------------------------------------------------------------
>>
>> smtpd_restriction_classes= insiders_only
>> insiders_only=
>>        check_sender_access hash:/etc/postfix/insiders
>>        reject
>>
>> smtpd_recipient_restrictions=
>>        permit_sasl_authenticated
>>        permit_mynetworks
>>        reject_unauth_destination
>>        check_policy_service unix:/var/spool/postfix/postgrey/socket
>>        reject_unknown_recipient_domain
>
> This is useless as it will check your own domains
> (reject_unauth_destination has already rejected other domains).
>
>
>>        check_recipient_access hash:/etc/postfix/recipient_access
>>        permit
>>
>> smtpd_sender_restrictions =
>>        permit_sasl_authenticated
>>        permit_mynetworks
>
>
> your permit_* here will pass mail to the restricted domain from any
> user if authenticated or if the mail comes from mynetworks.
>
>
>>        reject_unauth_destination
>>        check_recipient_access hash:/etc/postfix/sender_access
>
>
> Calling a recipient map "sender_access" is calling for trouble... It's
> not a problem, but it lay become one some day.
>
>
>>        reject_non_fqdn_sender
>>        reject_unknown_sender_domain
>>        permit
>> -----------------------------------------------------------------------------------------------------------
>>
>> ==insiders==
>> [hidden email]  OK
>>
>> ==sender_access==
>> [hidden email]  insiders_only
>>
>>
>> Thanks again.
>>
>