Reject unknown users, even when sent from 'mydomain'

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Reject unknown users, even when sent from 'mydomain'

durwin
I have a LAN behind a firewall with port 25 forwarded to machine running postfix.  That machine sends email on to
a Domino server.  However, I am using a VM for testing and I cannot change the forwarded port.  So I am doing it
all from the postfix machine.  I use the command below to send an email to an unknown user (from command line).
But it delivers it to Domino anyway.  I have only one user defined in /etc/postfix/aliases file.  Do I have the right
configuration to reject unknown users?  If not, what am I missing?

Thank you,

Durwin

=== command ===
cat email.txt | nc postfix 25
=== end ===

=== email.txt ===
helo postfix.mydomain.com
mail from: [hidden email]
rcpt to: [hidden email]
data
From: [hidden email]
To: [hidden email]
Subject: Test
Test
.
quit
=== end email.txt ===


=== main.cf ===
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = postfix.mydomain.com
mydomain = mydomain.com
myorigin = $myhostname
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
local_recipient_maps = $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks = 172.23.93.0/24
relay_domains = $mydestination
relayhost = $mydomain
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/aliases


smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
debug_peer_level = 2
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/samples
readme_directory = /usr/share/doc/postfix/README_FILES
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
=== end main.cf ===


This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

Bill Cole-3
On 28 Jun 2018, at 15:35, [hidden email] wrote:

> I have a LAN behind a firewall with port 25 forwarded to machine
> running
> postfix.  That machine sends email on to
> a Domino server.  However, I am using a VM for testing and I cannot
> change
> the forwarded port.  So I am doing it
> all from the postfix machine.  I use the command below to send an
> email to
> an unknown user (from command line).
> But it delivers it to Domino anyway.  I have only one user defined in
> /etc/postfix/aliases file.  Do I have the right
> configuration to reject unknown users?

No.

> If not, what am I missing?

smtpd_recipient_restrictions and/or smtpd_relay_restrictions.

See the postconf(5) man page, the SMTPD_ACCESS_README file, and the
ADDRESS_VERIFICATION_README file for the mechanisms available for
determining whether a specific recipient address in a relay domain is
valid. For your circumstance you probably need to use recipient
verification but if Domino provides an LDAP interface that could also be
an option.



Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

Matus UHLAR - fantomas
In reply to this post by durwin
On 28.06.18 13:35, [hidden email] wrote:
>=== command ===
>cat email.txt | nc postfix 25
>=== end ===

does this work? you should use SMTP client like 'msmtp' instead.
(you can configure authentication and encryption with it).

>This email message and any attachments are for the sole use of the
>intended recipient(s) and may contain proprietary and/or confidential
>information which may be privileged or otherwise protected from
>disclosure. Any unauthorized review, use, disclosure or distribution is
>prohibited. If you are not the intended recipient(s), please contact the
>sender by reply email and destroy the original message and any copies of
>the message as well as any attachments to the original message.

funny for a list mail.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

durwin
In reply to this post by Bill Cole-3
Still delivers unknown user.  I've attached the main.cf and the log.

@Matus
Thank you for suggesting msmtp.  It is handy.  As for the text server appends to all outgoing email, it is impractical to disable it for each email going to a list, sorry. :)




Durwin F. De La Rue
Management Sciences, Inc.
6022 Constitution Ave. NE
Albuquerque, NM  87110
Phone (505) 255-8611




From:        "Bill Cole" <[hidden email]>
To:        "Postfix users" <[hidden email]>
Date:        06/28/2018 05:41 PM
Subject:        Re: Reject unknown users, even when sent from 'mydomain'
Sent by:        [hidden email]




On 28 Jun 2018, at 15:35, [hidden email] wrote:

> I have a LAN behind a firewall with port 25 forwarded to machine
> running
> postfix.  That machine sends email on to
> a Domino server.  However, I am using a VM for testing and I cannot
> change
> the forwarded port.  So I am doing it
> all from the postfix machine.  I use the command below to send an
> email to
> an unknown user (from command line).
> But it delivers it to Domino anyway.  I have only one user defined in
> /etc/postfix/aliases file.  Do I have the right
> configuration to reject unknown users?

No.

> If not, what am I missing?

smtpd_recipient_restrictions and/or smtpd_relay_restrictions.

See the postconf(5) man page, the SMTPD_ACCESS_README file, and the
ADDRESS_VERIFICATION_README file for the mechanisms available for
determining whether a specific recipient address in a relay domain is
valid. For your circumstance you probably need to use recipient
verification but if Domino provides an LDAP interface that could also be
an option.







This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

Bill Cole-3
On 29 Jun 2018, at 16:55 (-0400), [hidden email] wrote:

> Still delivers unknown user.  I've attached the main.cf and the log.

For future reference: please read the last section of the Postfix
DEBUG_README file and note that it does not recommend debug-level
logging or whole main.cf files.

But the reason your test permitted you to submit a message to a bogus
user is obvious despite the clutter: when  'permit_mynetworks' occurs
first in a restriction list, connections from IPs in $mynetworks are
exempted from all other restrictions in that list.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

durwin
[hidden email] wrote on 06/29/2018 09:12:34 PM:

> From: "Bill Cole" <[hidden email]>

> To: "Postfix users" <[hidden email]>
> Date: 06/29/2018 09:13 PM
> Subject: Re: Reject unknown users, even when sent from 'mydomain'
> Sent by: [hidden email]
>
> On 29 Jun 2018, at 16:55 (-0400), [hidden email] wrote:
>
> > Still delivers unknown user.  I've attached the main.cf and the log.
>
> For future reference: please read the last section of the Postfix
> DEBUG_README file and note that it does not recommend debug-level
> logging or whole main.cf files.
>
> But the reason your test permitted you to submit a message to a bogus
> user is obvious despite the clutter: when  'permit_mynetworks' occurs
> first in a restriction list, connections from IPs in $mynetworks are
> exempted from all other restrictions in that list.


Thank you.  I agree, it it is obvious.  I has looking for a bigger problem
when is was a small one.

Could I expect xclient to work for testing?  If so, does the NAME and ADDR
need to be resolvable? Can I define them to be anything except my LAN?

XCLIENT NAME= ADDR=

>
>
> --
> Bill Cole
> [hidden email] or [hidden email]
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steadier Work:
https://linkedin.com/in/billcole



This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

Matus UHLAR - fantomas
>[hidden email] wrote on 06/29/2018 09:12:34 PM:
>
>> From: "Bill Cole" <[hidden email]>
>> To: "Postfix users" <[hidden email]>
>> Date: 06/29/2018 09:13 PM
>> Subject: Re: Reject unknown users, even when sent from 'mydomain'
>> Sent by: [hidden email]
>>
>> On 29 Jun 2018, at 16:55 (-0400), [hidden email] wrote:
>>
>> > Still delivers unknown user.  I've attached the main.cf and the log.
>>
>> For future reference: please read the last section of the Postfix
>> DEBUG_README file and note that it does not recommend debug-level
>> logging or whole main.cf files.
>>
>> But the reason your test permitted you to submit a message to a bogus
>> user is obvious despite the clutter: when  'permit_mynetworks' occurs
>> first in a restriction list, connections from IPs in $mynetworks are
>> exempted from all other restrictions in that list.

On 02.07.18 07:52, [hidden email] wrote:
>Thank you.  I agree, it it is obvious.  I has looking for a bigger problem
>when is was a small one.
>
>Could I expect xclient to work for testing?  If so, does the NAME and ADDR
>need to be resolvable? Can I define them to be anything except my LAN?
>
>XCLIENT NAME= ADDR=

configure smtpd_authorized_xclient_hosts

http://www.postfix.org/postconf.5.html#smtpd_authorized_xclient_hosts



--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

durwin
[hidden email] wrote on 07/02/2018 07:59:35 AM:

> From: Matus UHLAR - fantomas <[hidden email]>

> To: [hidden email], [hidden email]
> Date: 07/02/2018 08:00 AM
> Subject: Re: Reject unknown users, even when sent from 'mydomain'
> Sent by: [hidden email]
>
> >[hidden email] wrote on 06/29/2018 09:12:34 PM:
> >
> >> From: "Bill Cole" <[hidden email]>
> >> To: "Postfix users" <[hidden email]>
> >> Date: 06/29/2018 09:13 PM
> >> Subject: Re: Reject unknown users, even when sent from 'mydomain'
> >> Sent by: [hidden email]
> >>
> >> On 29 Jun 2018, at 16:55 (-0400), [hidden email] wrote:
> >>
> >> > Still delivers unknown user.  I've attached the main.cf and the log.
> >>
> >> For future reference: please read the last section of the Postfix
> >> DEBUG_README file and note that it does not recommend debug-level
> >> logging or whole main.cf files.
> >>
> >> But the reason your test permitted you to submit a message to a bogus
> >> user is obvious despite the clutter: when  'permit_mynetworks' occurs
> >> first in a restriction list, connections from IPs in $mynetworks are
> >> exempted from all other restrictions in that list.
>
> On 02.07.18 07:52, [hidden email] wrote:
> >Thank you.  I agree, it it is obvious.  I has looking for a bigger problem
> >when is was a small one.
> >
> >Could I expect xclient to work for testing?  If so, does the NAME and ADDR
> >need to be resolvable? Can I define them to be anything except my LAN?
> >
> >XCLIENT NAME= ADDR=
>
> configure smtpd_authorized_xclient_hosts
>
>
http://www.postfix.org/postconf.5.html#smtpd_authorized_xclient_hosts

I have smtpd_authorized_xclient_hosts defined.  I then used this.

EHLO <some valid FQDN>
XCLIENT NAME=<some valid FQDN> ADDR=<Address>
EHLO <some valid FQDN>
MAIL FROM:<user@domain>
RCPT TO:<[hidden email]>

I get 'Relay access denied'.  However, I am not trying to relay, I am trying
to deliver *to* this postfix server.  'Mydomain' *is* this server.  Does it
make a difference that it is to forward to another server (Domino) in same LAN?


>
>
>
> --
> Matus UHLAR - fantomas, [hidden email] ;
http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "Where do you want to go to die?" [Microsoft]



This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

Wietse Venema
[hidden email]:

> I have smtpd_authorized_xclient_hosts defined.  I then used this.
>
> EHLO <some valid FQDN>
> XCLIENT NAME=<some valid FQDN> ADDR=<Address>
> EHLO <some valid FQDN>
> MAIL FROM:<user@domain>
> RCPT TO:<[hidden email]>
>
> I get 'Relay access denied'.  However, I am not trying to relay, I am
> trying
> to deliver *to* this postfix server.  'Mydomain' *is* this server.  Does
> it
> make a difference that it is to forward to another server (Domino) in same
> LAN?

Mail is not delivered to this server.

Mail is forwarded to another server.

That *IS* the definition of relaying.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

durwin
[hidden email] wrote on 07/02/2018 09:14:06 AM:

> From: Wietse Venema <[hidden email]>

> To: Postfix users <[hidden email]>
> Date: 07/02/2018 09:14 AM
> Subject: Re: Reject unknown users, even when sent from 'mydomain'
> Sent by: [hidden email]
>
> [hidden email]:
> > I have smtpd_authorized_xclient_hosts defined.  I then used this.
> >
> > EHLO <some valid FQDN>
> > XCLIENT NAME=<some valid FQDN> ADDR=<Address>
> > EHLO <some valid FQDN>
> > MAIL FROM:<user@domain>
> > RCPT TO:<[hidden email]>
> >
> > I get 'Relay access denied'.  However, I am not trying to relay, I am
> > trying
> > to deliver *to* this postfix server.  'Mydomain' *is* this server.  Does
> > it
> > make a difference that it is to forward to another server (Domino) in same
> > LAN?
>
> Mail is not delivered to this server.
>
> Mail is forwarded to another server.
>
> That *IS* the definition of relaying.
>
>    Wietse

If my postfix server is 172.23.93.188, and my Domino server is 172.23.93.10.
The router forwards all mail to 188.  The postfix server must send it to 10
for delivery.  What is needed to allow this 'relaying' from 188 to 10 without
becoming an open relay?

Durwin


This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

Noel Jones-2
On 7/2/2018 10:20 AM, [hidden email] wrote:

> If my postfix server is 172.23.93.188, and my Domino server is
> 172.23.93.10.
> The router forwards all mail to 188.  The postfix server must send
> it to 10
> for delivery.  What is needed to allow this 'relaying' from 188 to
> 10 without
> becoming an open relay?
>
> Durwin
>

This is what we refer to as an email firewall or gateway.

A basic, annotated example of this can be found here:
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

The key parts are that the internal domain should be listed in
relay_domains (not mydestination), and valid recipients should be
listed in relay_recipient_maps.

It's also possible for postfix to build a list of valid recipients
automatically *if* the internal server rejects unknown recipients
during the SMTP transaction.

Other relevant links:
http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
http://www.postfix.org/documentation.html



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Reject unknown users, even when sent from 'mydomain'

durwin
[hidden email] wrote on 07/02/2018 09:58:57 AM:

> From: Noel Jones <[hidden email]>

> To: [hidden email]
> Date: 07/02/2018 09:59 AM
> Subject: Re: Reject unknown users, even when sent from 'mydomain'
> Sent by: [hidden email]
>
> On 7/2/2018 10:20 AM, [hidden email] wrote:
> > If my postfix server is 172.23.93.188, and my Domino server is
> > 172.23.93.10.
> > The router forwards all mail to 188.  The postfix server must send
> > it to 10
> > for delivery.  What is needed to allow this 'relaying' from 188 to
> > 10 without
> > becoming an open relay?
> >
> > Durwin
> >
>
> This is what we refer to as an email firewall or gateway.
>
> A basic, annotated example of this can be found here:
>
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
>
> The key parts are that the internal domain should be listed in
> relay_domains (not mydestination), and valid recipients should be
> listed in relay_recipient_maps.


I guess I still got it wrong.  I looked closer at what you said about
relay_domain.  I will try that.

Thank you.
>
> It's also possible for postfix to build a list of valid recipients
> automatically *if* the internal server rejects unknown recipients
> during the SMTP transaction.
>
> Other relevant links:
>
http://www.postfix.org/ADDRESS_CLASS_README.html
>
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
>
http://www.postfix.org/documentation.html
>
>
>
>   -- Noel Jones



This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.