Relay Exceptions

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Relay Exceptions

Tom Tucker


I am struggling with a configuration that might be impossible.  Hopefully the list can help guide me.  

I want to allow internal systems the ability to relay emails to my domains even though they might get caught with 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions to support such.


Current non-working configuration for this scenario
------------------------------------------------------------------------
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender

smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient

Thank you in advance,
Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Stan Hoeppner
On 1/22/2013 8:52 PM, Tom Tucker wrote:

> I am struggling with a configuration that might be impossible.  Hopefully
> the list can help guide me.
>
> I want to allow internal systems the ability to relay emails to my domains
> even though they might get caught with
> 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure
> how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions
> to support such.
>
>
> Current non-working configuration for this scenario
> ------------------------------------------------------------------------
> smtpd_sender_restrictions = permit_mynetworks,
> reject_unknown_sender_domain, reject_non_fqdn_sender
>
> smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname,
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
> reject_unauth_destination, reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, reject_unverified_recipient

Don't specify the separate restriction classes.  Put everything under
smtpd_recipient_restrictions.  This way you can manipulate the precise
order of your restrictions.  Remember, "first match wins".  If you
specify them separately you must put all permit actions at the start of
each class section.  Ergo each would need to start each with
"permit_mynetworks".  Here's an example of the EURR method.  There is no
client, sender, or helo restriction section, only this:

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_reverse_client_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        ...

Using this method, permit_mynetworks will match your local hosts before
reject_unknown_reverse_client_hostname matches.  First match wins, and
you only have one class, so this solves your problem.

--
Stan




Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Tom Tucker

Stan,
Thanks for the response.  This does work, however these clients are also able to send to domains outside my environment.  Let me try to clarify my scenario.

Client: With PTR record = Full relay (internal & external domains)
Client: No PTR record   = Relay for internal domains only

Is it possible to configure Postfix to support this type configuration?






On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <[hidden email]> wrote:
On 1/22/2013 8:52 PM, Tom Tucker wrote:
> I am struggling with a configuration that might be impossible.  Hopefully
> the list can help guide me.
>
> I want to allow internal systems the ability to relay emails to my domains
> even though they might get caught with
> 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure
> how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions
> to support such.
>
>
> Current non-working configuration for this scenario
> ------------------------------------------------------------------------
> smtpd_sender_restrictions = permit_mynetworks,
> reject_unknown_sender_domain, reject_non_fqdn_sender
>
> smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname,
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
> reject_unauth_destination, reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, reject_unverified_recipient

Don't specify the separate restriction classes.  Put everything under
smtpd_recipient_restrictions.  This way you can manipulate the precise
order of your restrictions.  Remember, "first match wins".  If you
specify them separately you must put all permit actions at the start of
each class section.  Ergo each would need to start each with
"permit_mynetworks".  Here's an example of the EURR method.  There is no
client, sender, or helo restriction section, only this:

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_reverse_client_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        ...

Using this method, permit_mynetworks will match your local hosts before
reject_unknown_reverse_client_hostname matches.  First match wins, and
you only have one class, so this solves your problem.

--
Stan





Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Tom Tucker

I think I got it.  The ordering is critical.  Thanks


smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/relay_domains  # This will allow clients missing PTR records the ability to relay locally
        reject_unknown_reverse_client_hostname   # Reject all other clients missing PTR records from sending externally
        reject_unknown_recipient_domain
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        permit_mynetworks  # Permit all other mail traffic both internally and externally
        reject_unauth_destination


/etc/postfix/relay_domains
mydomain.com        OK



On Wed, Jan 23, 2013 at 11:21 AM, Tom Tucker <[hidden email]> wrote:

Stan,
Thanks for the response.  This does work, however these clients are also able to send to domains outside my environment.  Let me try to clarify my scenario.

Client: With PTR record = Full relay (internal & external domains)
Client: No PTR record   = Relay for internal domains only

Is it possible to configure Postfix to support this type configuration?






On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <[hidden email]> wrote:
On 1/22/2013 8:52 PM, Tom Tucker wrote:
> I am struggling with a configuration that might be impossible.  Hopefully
> the list can help guide me.
>
> I want to allow internal systems the ability to relay emails to my domains
> even though they might get caught with
> 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure
> how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions
> to support such.
>
>
> Current non-working configuration for this scenario
> ------------------------------------------------------------------------
> smtpd_sender_restrictions = permit_mynetworks,
> reject_unknown_sender_domain, reject_non_fqdn_sender
>
> smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname,
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
> reject_unauth_destination, reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, reject_unverified_recipient

Don't specify the separate restriction classes.  Put everything under
smtpd_recipient_restrictions.  This way you can manipulate the precise
order of your restrictions.  Remember, "first match wins".  If you
specify them separately you must put all permit actions at the start of
each class section.  Ergo each would need to start each with
"permit_mynetworks".  Here's an example of the EURR method.  There is no
client, sender, or helo restriction section, only this:

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_reverse_client_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        ...

Using this method, permit_mynetworks will match your local hosts before
reject_unknown_reverse_client_hostname matches.  First match wins, and
you only have one class, so this solves your problem.

--
Stan






Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Noel Jones-2
In reply to this post by Tom Tucker
On 1/23/2013 10:21 AM, Tom Tucker wrote:

>
> Stan,
> Thanks for the response.  This does work, however these clients are
> also able to send to domains outside my environment.  Let me try to
> clarify my scenario.
>
> Client: With PTR record = Full relay (internal & external domains)
> Client: No PTR record   = Relay for internal domains only
>
> Is it possible to configure Postfix to support this type configuration?
>
>


Apparently you want to use the existence of PTR in your local
networks to determine if the client can relay.

If the authorized clients with PTR also have a matching A record so
that postfix logs them eg. "host.example.com", you can use something
like:

# client_relay
example.com  OK


# main.cf
1 smtpd_recipient_restrictions =
2   check_client_access hash:/etc/postfix/client_relay
3   reject_unauth_destination
4   permit_mynetworks
    ... other UCE controls ...


Line 2 grants relay access to clients that have FCrDNS in your
domain "example.com"

Line 3 denies relay access to anyone else

Line 4 allows all clients in $mynetworks to send local mail prior to
your UCE restrictions.





Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Noel Jones-2
In reply to this post by Tom Tucker
On 1/23/2013 12:30 PM, Tom Tucker wrote:

>
> I think I got it.  The ordering is critical.  Thanks
>
>
> smtpd_recipient_restrictions =
>         check_recipient_access hash:/etc/postfix/relay_domains  #
> This will allow clients missing PTR records the ability to relay locally
>         reject_unknown_reverse_client_hostname   # Reject all other
> clients missing PTR records from sending externally
>         reject_unknown_recipient_domain
>         reject_non_fqdn_sender
>         reject_non_fqdn_helo_hostname
>         reject_invalid_helo_hostname
>         reject_unknown_helo_hostname
>         reject_unlisted_recipient
>         permit_mynetworks  # Permit all other mail traffic both
> internally and externally
>         reject_unauth_destination
>
>
> /etc/postfix/relay_domains
> mydomain.com <http://mydomain.com>        OK
> myotherdomain.com <http://myotherdomain.com> OK



The above disables all your UCE controls.






  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Tom Tucker
In reply to this post by Noel Jones-2


On Wed, Jan 23, 2013 at 1:31 PM, Noel Jones <[hidden email]> wrote:
On 1/23/2013 10:21 AM, Tom Tucker wrote:
>
> Stan,
> Thanks for the response.  This does work, however these clients are
> also able to send to domains outside my environment.  Let me try to
> clarify my scenario.
>
> Client: With PTR record = Full relay (internal & external domains)
> Client: No PTR record   = Relay for internal domains only
>
> Is it possible to configure Postfix to support this type configuration?
>
>


Apparently you want to use the existence of PTR in your local
networks to determine if the client can relay.

If the authorized clients with PTR also have a matching A record so
that postfix logs them eg. "host.example.com", you can use something
like:

Not exactly, clients with a valid PTR should be allowed to relay regardless of the destination.  Clients without a PTR will be restricted to internal delivery only.   I guess I should have mentioned earlier.  These Postfix relays do NOT receive emails from the Internet.  The majority of the mail traffic they process is from the web environment  to our various external customers.


You mentioned that...."The above disables all your UCE controls."  You say this because of the order of the rules, right?

I'm still wrapping my head around this, but this config seems to be working.  Again, I welcome any comments you might have.

smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/relay_domains
        reject_unknown_reverse_client_hostname
        reject_unknown_recipient_domain
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        check_relay_domains


# client_relay
example.com  OK


# main.cf
1 smtpd_recipient_restrictions =
2   check_client_access hash:/etc/postfix/client_relay
3   reject_unauth_destination
4   permit_mynetworks
    ... other UCE controls ...


Line 2 grants relay access to clients that have FCrDNS in your
domain "example.com"

Line 3 denies relay access to anyone else

Line 4 allows all clients in $mynetworks to send local mail prior to
your UCE restrictions.






Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Noel Jones-2
On 1/23/2013 1:19 PM, Tom Tucker wrote:
> You mentioned that...."The above disables all your UCE controls."
>  You say this because of the order of the rules, right?

Your first rule is equivalent to permit_auth_destination.

After that, the only mail left is either mail from unauthorized
clients that you will reject anyway, or mail from authorized clients
that you shouldn't reject.

>
> I'm still wrapping my head around this, but this config seems to be
> working.  Again, I welcome any comments you might have.

If your postfix host doesn't receive mail from the internet, then
UCE controls are irrelevant, and you don't have to worry about
spoofed rDNS since all the clients are in mynetworks.  So your
previous config is acceptable.

It's lots harder when we get details one at a time.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

James Griffin
In reply to this post by Noel Jones-2
* Noel Jones <[hidden email]> [2013-01-23 12:37:28 -0600]:

> On 1/23/2013 12:30 PM, Tom Tucker wrote:
> >
> > I think I got it.  The ordering is critical.  Thanks
> >
> >
> > smtpd_recipient_restrictions =
> >         check_recipient_access hash:/etc/postfix/relay_domains  #
> > This will allow clients missing PTR records the ability to relay locally
> >         reject_unknown_reverse_client_hostname   # Reject all other
> > clients missing PTR records from sending externally
> >         reject_unknown_recipient_domain
> >         reject_non_fqdn_sender
> >         reject_non_fqdn_helo_hostname
> >         reject_invalid_helo_hostname
> >         reject_unknown_helo_hostname
> >         reject_unlisted_recipient
> >         permit_mynetworks  # Permit all other mail traffic both
> > internally and externally
> >         reject_unauth_destination
> >
> >
> > /etc/postfix/relay_domains
> > mydomain.com <http://mydomain.com>        OK
> > myotherdomain.com <http://myotherdomain.com> OK
>
>
>
> The above disables all your UCE controls.

Wouldn't it be better to put $reject_unauth_destination closer to
the top of the restriction class: i.e. after $check_recipient_access?
and then $permit_mynetworks after that?

Like so:

smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/relay_domains,
        reject_unauth_destination,
        permit_mynetworks,
        ...

Jamie
Reply | Threaded
Open this post in threaded view
|

Re: Relay Exceptions

Noel Jones-2
On 1/25/2013 4:29 AM, Jamie Paul Griffin wrote:

> * Noel Jones <[hidden email]> [2013-01-23 12:37:28 -0600]:
>
>> On 1/23/2013 12:30 PM, Tom Tucker wrote:
>>>
>>> I think I got it.  The ordering is critical.  Thanks
>>>
>>>
>>> smtpd_recipient_restrictions =
>>>         check_recipient_access hash:/etc/postfix/relay_domains  #
>>> This will allow clients missing PTR records the ability to relay locally
>>>         reject_unknown_reverse_client_hostname   # Reject all other
>>> clients missing PTR records from sending externally
>>>         reject_unknown_recipient_domain
>>>         reject_non_fqdn_sender
>>>         reject_non_fqdn_helo_hostname
>>>         reject_invalid_helo_hostname
>>>         reject_unknown_helo_hostname
>>>         reject_unlisted_recipient
>>>         permit_mynetworks  # Permit all other mail traffic both
>>> internally and externally
>>>         reject_unauth_destination
>>>
>>>
>>> /etc/postfix/relay_domains
>>> mydomain.com <http://mydomain.com>        OK
>>> myotherdomain.com <http://myotherdomain.com> OK
>>
>>
>>
>> The above disables all your UCE controls.
>
> Wouldn't it be better to put $reject_unauth_destination closer to
> the top of the restriction class: i.e. after $check_recipient_access?
> and then $permit_mynetworks after that?
>
> Like so:
>
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/relay_domains,
> reject_unauth_destination,
> permit_mynetworks,
> ...
>
> Jamie
>


Generally yes.

In this particular case -- a host not connected to the internet with
very unusual requirements -- no, it works as intended already and
that change would "break" it.

This particular case could be simplified to:
   permit_auth_destination
   reject_unknown_reverse_client_hostname
   permit_mynetworks
   reject

This is not a useful example for 99%+ of users, except maybe as an
exercise in the importance of restriction order to meet specific
requirements.



  -- Noel Jones