Reject mynetworks and permit relay domains

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Reject mynetworks and permit relay domains

Alejandro Facultad
Dear all,  need your help on this scenario:

- Postfix public mail server
- 1.com and 2.com are supported virtual domains and R.com is  a relay domain
- I want to deny mails from 1.com and 2.com to R.com AND I want to
accept mails coming from Internet to R.com

In others words, something like this: "reject mynetworks, permit relay domain".

How can I implement what I need with Postfix access restrictions ???

Special thanks,

Alejandro
Reply | Threaded
Open this post in threaded view
|

Re: Reject mynetworks and permit relay domains

Noel Jones-2
Alejandro Facultad wrote:

> Dear all,  need your help on this scenario:
>
> - Postfix public mail server
> - 1.com and 2.com are supported virtual domains and R.com is  a relay domain
> - I want to deny mails from 1.com and 2.com to R.com AND I want to
> accept mails coming from Internet to R.com
>
> In others words, something like this: "reject mynetworks, permit relay domain".
>
> How can I implement what I need with Postfix access restrictions ???
>
> Special thanks,
>
> Alejandro


Postfix doesn't have a "reject_mynetworks" directive (few
people have asked for it), but you can use a
check_client_access map to do that.  You will need to maintain
two lists of your local networks (or use a Makefile to build
your lists from a common source file).

If this is to apply to only one of your domains, you can
define a smtpd_restriction_classes and call it for the
restricted domain.

Something like:

# reject_mynetworks_access file
# this list duplicates all addresses listed in mynetworks
192.168  REJECT  local access not permitted
11.22.33.44  REJECT local access not permitted

# check_domain
r.com  reject_mynetworks, permit_auth_destination


# main.cf
smtpd_restriction_classes =
    reject_mynetworks

reject_mynetworks =
    check_client_access hash:/etc/postfix/reject_mynetworks_access

#this is a default setting
smtpd_delay_reject = yes

# do this in smtpd_sender_restrictions so a mistake won't
# create an open relay
# http://www.postfix.org/SMTPD_ACCESS_README.html#danger
smtpd_sender_restrictions =
    check_recipient_access hash:/etc/postfix/check_domain


The above is a very basic setup describing one way to do what
you seem to be asking for.  There are other ways.  If you need
more specific instructions, you will need to post specific
information about your current settings and what you want.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Reject mynetworks and permit relay domains

Alejandro Facultad
Thanks Noel, now I'm in a better way.

Read above please:

Noel Jones escribió:

> Alejandro Facultad wrote:
>> Dear all,  need your help on this scenario:
>>
>> - Postfix public mail server
>> - 1.com and 2.com are supported virtual domains and R.com is  a relay
>> domain
>> - I want to deny mails from 1.com and 2.com to R.com AND I want to
>> accept mails coming from Internet to R.com
>>
>> In others words, something like this: "reject mynetworks, permit
>> relay domain".
>>
>> How can I implement what I need with Postfix access restrictions ???
>>
>> Special thanks,
>>
>> Alejandro
>
>
> Postfix doesn't have a "reject_mynetworks" directive (few people have
> asked for it), but you can use a check_client_access map to do that.  
> You will need to maintain two lists of your local networks (or use a
> Makefile to build your lists from a common source file).
>
> If this is to apply to only one of your domains, you can define a
> smtpd_restriction_classes and call it for the restricted domain.
>
> Something like:
>
> # reject_mynetworks_access file
> # this list duplicates all addresses listed in mynetworks
> 192.168  REJECT  local access not permitted
> 11.22.33.44  REJECT local access not permitted
> # check_domain
> r.com  reject_mynetworks, permit_auth_destination
>
>
> # main.cf
> smtpd_restriction_classes =
>    reject_mynetworks
>
> reject_mynetworks =
>    check_client_access hash:/etc/postfix/reject_mynetworks_access
>
> #this is a default setting
> smtpd_delay_reject = yes
>
> # do this in smtpd_sender_restrictions so a mistake won't
> # create an open relay
> # http://www.postfix.org/SMTPD_ACCESS_README.html#danger
> smtpd_sender_restrictions =
>    check_recipient_access hash:/etc/postfix/check_domain
>
>
> The above is a very basic setup describing one way to do what you seem
> to be asking for.  There are other ways.  If you need more specific
> instructions, you will need to post specific information about your
> current settings and what you want.
>
Thanks Noel for your important support...I read all you write time after
time, but it's difficult to me by now. I tell you some data from my main.cf:

mynetworks = 127.0.0.0/8, 172.0.0.0/8

relay_domains = R.com

# 1.com and 2.com are defined as virtyal domains here
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql-virtual_domains.cf

I repeat again: 1.com and 2.com can't send messages to R.com AND people
from Internet can send mesages to R.com

You said: "you can define a smtpd_restriction_classes and call it for
the restricted domain"....but where are defined my 1.com and 2.com
domains in the main.cf in order to call the restrictions you suggest ???

Thanks Noel, regards !!!

Alejandro

Reply | Threaded
Open this post in threaded view
|

Re: Reject mynetworks and permit relay domains

Noel Jones-2
Alejandro Facultad wrote:

> Thanks Noel, now I'm in a better way.
>
> Read above please:
>
> Noel Jones escribió:
>> Alejandro Facultad wrote:
>>> Dear all,  need your help on this scenario:
>>>
>>> - Postfix public mail server
>>> - 1.com and 2.com are supported virtual domains and R.com is  a relay
>>> domain
>>> - I want to deny mails from 1.com and 2.com to R.com AND I want to
>>> accept mails coming from Internet to R.com
>>>
>>> In others words, something like this: "reject mynetworks, permit
>>> relay domain".
>>>
>>> How can I implement what I need with Postfix access restrictions ???
>>>
>>> Special thanks,
>>>
>>> Alejandro
>>
>>
>> Postfix doesn't have a "reject_mynetworks" directive (few people have
>> asked for it), but you can use a check_client_access map to do that.  
>> You will need to maintain two lists of your local networks (or use a
>> Makefile to build your lists from a common source file).
>>
>> If this is to apply to only one of your domains, you can define a
>> smtpd_restriction_classes and call it for the restricted domain.
>>
>> Something like:
>>
>> # reject_mynetworks_access file
>> # this list duplicates all addresses listed in mynetworks
>> 192.168  REJECT  local access not permitted
>> 11.22.33.44  REJECT local access not permitted
>> # check_domain
>> r.com  reject_mynetworks, permit_auth_destination
>>
>>
>> # main.cf
>> smtpd_restriction_classes =
>>    reject_mynetworks
>>
>> reject_mynetworks =
>>    check_client_access hash:/etc/postfix/reject_mynetworks_access
>>
>> #this is a default setting
>> smtpd_delay_reject = yes
>>
>> # do this in smtpd_sender_restrictions so a mistake won't
>> # create an open relay
>> # http://www.postfix.org/SMTPD_ACCESS_README.html#danger
>> smtpd_sender_restrictions =
>>    check_recipient_access hash:/etc/postfix/check_domain
>>
>>
>> The above is a very basic setup describing one way to do what you seem
>> to be asking for.  There are other ways.  If you need more specific
>> instructions, you will need to post specific information about your
>> current settings and what you want.
>>
> Thanks Noel for your important support...I read all you write time after
> time, but it's difficult to me by now. I tell you some data from my
> main.cf:
>
> mynetworks = 127.0.0.0/8, 172.0.0.0/8
>
> relay_domains = R.com
>
> # 1.com and 2.com are defined as virtyal domains here
> virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
> I repeat again: 1.com and 2.com can't send messages to R.com AND people
> from Internet can send mesages to R.com
>
> You said: "you can define a smtpd_restriction_classes and call it for
> the restricted domain"....but where are defined my 1.com and 2.com
> domains in the main.cf in order to call the restrictions you suggest ???
>
> Thanks Noel, regards !!!
>
> Alejandro
>

The example above prevents clients in mynetworks from sending
mail to r.com.  This may be sufficient for what you attempt to
describe.

If you additionally want to restrict any sender address of
1.com or 2.com from sending mail to r.com, you can define an
additional smtpd_restriction_classes entry similar to the
examples in
http://www.postfix.org/RESTRICTION_CLASS_README.html

--
Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Reject mynetworks and permit relay domains

Alejandro Facultad
Noel Jones escribió:

> Alejandro Facultad wrote:
>> Thanks Noel, now I'm in a better way.
>>
>> Read above please:
>>
>> Noel Jones escribió:
>>> Alejandro Facultad wrote:
>>>> Dear all,  need your help on this scenario:
>>>>
>>>> - Postfix public mail server
>>>> - 1.com and 2.com are supported virtual domains and R.com is  a
>>>> relay domain
>>>> - I want to deny mails from 1.com and 2.com to R.com AND I want to
>>>> accept mails coming from Internet to R.com
>>>>
>>>> In others words, something like this: "reject mynetworks, permit
>>>> relay domain".
>>>>
>>>> How can I implement what I need with Postfix access restrictions ???
>>>>
>>>> Special thanks,
>>>>
>>>> Alejandro
>>>
>>>
>>> Postfix doesn't have a "reject_mynetworks" directive (few people
>>> have asked for it), but you can use a check_client_access map to do
>>> that.  You will need to maintain two lists of your local networks
>>> (or use a Makefile to build your lists from a common source file).
>>>
>>> If this is to apply to only one of your domains, you can define a
>>> smtpd_restriction_classes and call it for the restricted domain.
>>>
>>> Something like:
>>>
>>> # reject_mynetworks_access file
>>> # this list duplicates all addresses listed in mynetworks
>>> 192.168  REJECT  local access not permitted
>>> 11.22.33.44  REJECT local access not permitted
>>> # check_domain
>>> r.com  reject_mynetworks, permit_auth_destination
>>>
>>>
>>> # main.cf
>>> smtpd_restriction_classes =
>>>    reject_mynetworks
>>>
>>> reject_mynetworks =
>>>    check_client_access hash:/etc/postfix/reject_mynetworks_access
>>>
>>> #this is a default setting
>>> smtpd_delay_reject = yes
>>>
>>> # do this in smtpd_sender_restrictions so a mistake won't
>>> # create an open relay
>>> # http://www.postfix.org/SMTPD_ACCESS_README.html#danger
>>> smtpd_sender_restrictions =
>>>    check_recipient_access hash:/etc/postfix/check_domain
>>>
>>>
>>> The above is a very basic setup describing one way to do what you
>>> seem to be asking for.  There are other ways.  If you need more
>>> specific instructions, you will need to post specific information
>>> about your current settings and what you want.
>>>
>> Thanks Noel for your important support...I read all you write time
>> after time, but it's difficult to me by now. I tell you some data
>> from my main.cf:
>>
>> mynetworks = 127.0.0.0/8, 172.0.0.0/8
>>
>> relay_domains = R.com
>>
>> # 1.com and 2.com are defined as virtyal domains here
>> virtual_mailbox_domains =
>> proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
>> I repeat again: 1.com and 2.com can't send messages to R.com AND
>> people from Internet can send mesages to R.com
>>
>> You said: "you can define a smtpd_restriction_classes and call it for
>> the restricted domain"....but where are defined my 1.com and 2.com
>> domains in the main.cf in order to call the restrictions you suggest ???
>>
>> Thanks Noel, regards !!!
>>
>> Alejandro
>>
>
> The example above prevents clients in mynetworks from sending mail to
> r.com.  This may be sufficient for what you attempt to describe.
>
> If you additionally want to restrict any sender address of 1.com or
> 2.com from sending mail to r.com, you can define an additional
> smtpd_restriction_classes entry similar to the examples in
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
Thanks again Noel !!! Just one more short question. If my restrictions
lists are the following, where can I put a check_client_access line ???

smtpd_sender_restrictions =
                check_sender_access hash:/etc/postfix/restricted_senders
                check_recipient_access
hash:/etc/postfix/restricted_recipients

smtpd_recipient_restrictions =
                permit_mynetworks
                permit_sasl_authenticated
                reject_unknown_sender_domain

Or maybe do I have to add a smtpd_client_restrictions list ????

Thanks and greetings,

Alejandro

Reply | Threaded
Open this post in threaded view
|

Re: Reject mynetworks and permit relay domains

Noel Jones-2
Alejandro Facultad wrote:

> Noel Jones escribió:
>> Alejandro Facultad wrote:
>>> Thanks Noel, now I'm in a better way.
>>>
>>> Read above please:
>>>
>>> Noel Jones escribió:
>>>> Alejandro Facultad wrote:
>>>>> Dear all,  need your help on this scenario:
>>>>>
>>>>> - Postfix public mail server
>>>>> - 1.com and 2.com are supported virtual domains and R.com is  a
>>>>> relay domain
>>>>> - I want to deny mails from 1.com and 2.com to R.com AND I want to
>>>>> accept mails coming from Internet to R.com
>>>>>
>>>>> In others words, something like this: "reject mynetworks, permit
>>>>> relay domain".
>>>>>
>>>>> How can I implement what I need with Postfix access restrictions ???
>>>>>
>>>>> Special thanks,
>>>>>
>>>>> Alejandro
>>>>
>>>>
>>>> Postfix doesn't have a "reject_mynetworks" directive (few people
>>>> have asked for it), but you can use a check_client_access map to do
>>>> that.  You will need to maintain two lists of your local networks
>>>> (or use a Makefile to build your lists from a common source file).
>>>>
>>>> If this is to apply to only one of your domains, you can define a
>>>> smtpd_restriction_classes and call it for the restricted domain.
>>>>
>>>> Something like:
>>>>
>>>> # reject_mynetworks_access file
>>>> # this list duplicates all addresses listed in mynetworks
>>>> 192.168  REJECT  local access not permitted
>>>> 11.22.33.44  REJECT local access not permitted
>>>> # check_domain
>>>> r.com  reject_mynetworks, permit_auth_destination
>>>>
>>>>
>>>> # main.cf
>>>> smtpd_restriction_classes =
>>>>    reject_mynetworks
>>>>
>>>> reject_mynetworks =
>>>>    check_client_access hash:/etc/postfix/reject_mynetworks_access
>>>>
>>>> #this is a default setting
>>>> smtpd_delay_reject = yes
>>>>
>>>> # do this in smtpd_sender_restrictions so a mistake won't
>>>> # create an open relay
>>>> # http://www.postfix.org/SMTPD_ACCESS_README.html#danger
>>>> smtpd_sender_restrictions =
>>>>    check_recipient_access hash:/etc/postfix/check_domain
>>>>
>>>>
>>>> The above is a very basic setup describing one way to do what you
>>>> seem to be asking for.  There are other ways.  If you need more
>>>> specific instructions, you will need to post specific information
>>>> about your current settings and what you want.
>>>>
>>> Thanks Noel for your important support...I read all you write time
>>> after time, but it's difficult to me by now. I tell you some data
>>> from my main.cf:
>>>
>>> mynetworks = 127.0.0.0/8, 172.0.0.0/8
>>>
>>> relay_domains = R.com
>>>
>>> # 1.com and 2.com are defined as virtyal domains here
>>> virtual_mailbox_domains =
>>> proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
>>> I repeat again: 1.com and 2.com can't send messages to R.com AND
>>> people from Internet can send mesages to R.com
>>>
>>> You said: "you can define a smtpd_restriction_classes and call it for
>>> the restricted domain"....but where are defined my 1.com and 2.com
>>> domains in the main.cf in order to call the restrictions you suggest ???
>>>
>>> Thanks Noel, regards !!!
>>>
>>> Alejandro
>>>
>>
>> The example above prevents clients in mynetworks from sending mail to
>> r.com.  This may be sufficient for what you attempt to describe.
>>
>> If you additionally want to restrict any sender address of 1.com or
>> 2.com from sending mail to r.com, you can define an additional
>> smtpd_restriction_classes entry similar to the examples in
>> http://www.postfix.org/RESTRICTION_CLASS_README.html
>>
> Thanks again Noel !!! Just one more short question. If my restrictions
> lists are the following, where can I put a check_client_access line ???
>
> smtpd_sender_restrictions =
>                check_sender_access hash:/etc/postfix/restricted_senders
>                check_recipient_access
> hash:/etc/postfix/restricted_recipients
>
> smtpd_recipient_restrictions =
>                permit_mynetworks
>                permit_sasl_authenticated
>                reject_unknown_sender_domain
>
> Or maybe do I have to add a smtpd_client_restrictions list ????
>
> Thanks and greetings,
>
> Alejandro
>

Insert it as the first restriction under
smtpd_sender_restrictions.

--
Noel Jones