Relaying for internal servers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Relaying for internal servers

Martin Terp Jensen
Hi guys.

I have some postfix servers running as a relay/gateway for internal mails, when they want to go to the world wide web.

These internal servers i trust, but sometimes mails from CRON gets send to me, i know, the best solution would be to disable cron mails but that is more for the long term solution.

So, for now i want to simply discard mails going through.

My header_checks:
/To: [^@]*@.*\.internal\.domain\.com/ DISCARD

And this seems to work fine if i run the postmap -q command:
postmap -q "To: [hidden email]" pcre:header_checks
DISCARD

But, sometimes i get this kind of email:

original_recipient: [hidden email]
recipient: [hidden email]
From: "User" <[hidden email]>
Date: Fri, 26 Jun 2020 16:54:01 +0200
To: root

So i guess(?) that my header_check would test against "To: root" in this case.
What would be the best way for me to discard these mails? 
Note, i cant do it on sender because that would block everything.

Thanks in advance

Reply | Threaded
Open this post in threaded view
|

Re: Relaying for internal servers

@lbutlr
On 26 Jun 2020, at 09:13, Martin Terp Jensen <[hidden email]> wrote:
> These internal servers i trust, but sometimes mails from CRON gets send to me, i know, the best solution would be to disable cron mails

Uh… since cron send mails when action result in errors this seems like a bad idea.

> So, for now i want to simply discard mails going through.
>
> My header_checks:
> /To: [^@]*@.*\.internal\.domain\.com/ DISCARD
>
> And this seems to work fine if i run the postmap -q command:
> postmap -q "To: [hidden email]" pcre:header_checks
> DISCARD
>
> But, sometimes i get this kind of email:
>
> original_recipient: [hidden email]
> recipient: [hidden email]
> From: "User" <[hidden email]>
> Date: Fri, 26 Jun 2020 16:54:01 +0200
> To: root
>
> So i guess(?) that my header_check would test against "To: root" in this case.
> What would be the best way for me to discard these mails?

root mail should be aliased to a real user that checks mail.

Discarding all mail to root and all cron errors seems like a bad idea to me.

I suppose you can try matching for To: root but it might be better to filter the mail after delivery.

For example, my root user is aliased to [hidden email] and that gets delivered into a 'root' mailbox on my admin IMAP store. I look in this periodically for issues, and mostly just delete the mail once a month or so.



--
Is a vegetarian permitted to eat animal crackers?

Reply | Threaded
Open this post in threaded view
|

Re: Relaying for internal servers

Noel Jones-2
In reply to this post by Martin Terp Jensen
On 6/26/2020 10:13 AM, Martin Terp Jensen wrote:

> Hi guys.
>
> I have some postfix servers running as a relay/gateway for internal
> mails, when they want to go to the world wide web.
>
> These internal servers i trust, but sometimes mails from CRON gets
> send to me, i know, the best solution would be to disable cron mails
> but that is more for the long term solution.
>
> So, for now i want to simply discard mails going through.
>
> My header_checks:
> /To: [^@]*@.*\.internal\.domain\.com/ DISCARD
>
> And this seems to work fine if i run the postmap -q command:
> postmap -q "To: [hidden email]
> <mailto:[hidden email]>" pcre:header_checks
> DISCARD
>
> But, sometimes i get this kind of email:
>
> original_recipient: [hidden email]
> <mailto:[hidden email]>
> recipient: [hidden email]
> <mailto:[hidden email]>
> From: "User" <[hidden email]
> <mailto:[hidden email]>>
> Date: Fri, 26 Jun 2020 16:54:01 +0200
> To: root
>
> So i guess(?) that my header_check would test against "To: root" in
> this case.
> What would be the best way for me to discard these mails?
> Note, i cant do it on sender because that would block everything.
>
> Thanks in advance
>

I agree that discarding cron mail is a bad idea. Better to dump it
in a mailbox you clear out occasionally or set your mail store to
delete anything in that mailbox more than X days old.

Anyway, header_checks is the wrong tool for this. Use a
check_recipient_access table matching on exactly what postfix shows
in the log for the messages you want to delete.

#main.cf
smtpd_recipient_restrictions =

   check_recipient_access pcre:/etc/postfix/discard_cron.pcre

#discard_cron.pcre
/@.*\.internal\.example\.com$/ REJECT


You could easily use REDIRECT instead of DISCARD to send these to
some local mailbox

You can use WARN_IF_REJECT instead of REJECT or DISCARD for testing
on the live system to see in the log what your rules would catch.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Relaying for internal servers

Martin Terp Jensen
I think you're right, i will redirect using smtpd_recipient_restrictions, thanks guys :) 

On Fri, Jun 26, 2020 at 7:41 PM Noel Jones <[hidden email]> wrote:
On 6/26/2020 10:13 AM, Martin Terp Jensen wrote:
> Hi guys.
>
> I have some postfix servers running as a relay/gateway for internal
> mails, when they want to go to the world wide web.
>
> These internal servers i trust, but sometimes mails from CRON gets
> send to me, i know, the best solution would be to disable cron mails
> but that is more for the long term solution.
>
> So, for now i want to simply discard mails going through.
>
> My header_checks:
> /To: [^@]*@.*\.internal\.domain\.com/ DISCARD
>
> And this seems to work fine if i run the postmap -q command:
> postmap -q "To: [hidden email]
> <mailto:[hidden email]>" pcre:header_checks
> DISCARD
>
> But, sometimes i get this kind of email:
>
> original_recipient: [hidden email]
> <mailto:[hidden email]>
> recipient: [hidden email]
> <mailto:[hidden email]>
> From: "User" <[hidden email]
> <mailto:[hidden email]>>
> Date: Fri, 26 Jun 2020 16:54:01 +0200
> To: root
>
> So i guess(?) that my header_check would test against "To: root" in
> this case.
> What would be the best way for me to discard these mails?
> Note, i cant do it on sender because that would block everything.
>
> Thanks in advance
>

I agree that discarding cron mail is a bad idea. Better to dump it
in a mailbox you clear out occasionally or set your mail store to
delete anything in that mailbox more than X days old.

Anyway, header_checks is the wrong tool for this. Use a
check_recipient_access table matching on exactly what postfix shows
in the log for the messages you want to delete.

#main.cf
smtpd_recipient_restrictions =

   check_recipient_access pcre:/etc/postfix/discard_cron.pcre

#discard_cron.pcre
/@.*\.internal\.example\.com$/ REJECT


You could easily use REDIRECT instead of DISCARD to send these to
some local mailbox

You can use WARN_IF_REJECT instead of REJECT or DISCARD for testing
on the live system to see in the log what your rules would catch.



   -- Noel Jones