Restrict outgoing/submission to defined local or virtual users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Restrict outgoing/submission to defined local or virtual users

techlist06-2
Postfix 3.2.2, Centos7.  All functioning as configured.  I have a few local accounts, several virtual addresses delivered to those accounts, and some domains relayed, the latter do not submit mail through this box.

All local accounts send via TLS authentication on 587.  Currently I don't think I have any restrictions on what an outbound address can be.  I do have some aliases so I do not want to restrict to logon names only.  

Is it possible to restrict outgoing mail to be from one of my "valid" local or virtual aliases?  And I want to restrict outbound from one address in particular.

I looked here:
http://www.postfix.org/RESTRICTION_CLASS_README.html
but if the answer is there I'd be grateful for some more help, I didn't get it.  On or off-list.

Right now my submission section of master.cf I sbelow.  I tried adding something here as -o o smtpd_sender_restrictions but didn't get that right.

submission   inet    n       -       n       -       -       smtpd
## subsequent indented lines override main.cf settings.
  -o content_filter=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o syslog_name=postfix-submission
  -o milter_macro_daemon_name=ORIGINATING

Happy to provide all the configs if needed.



Reply | Threaded
Open this post in threaded view
|

Re: Restrict outgoing/submission to defined local or virtual users

Noel Jones-2
On 9/5/2017 2:48 PM, techlist06 wrote:

> Postfix 3.2.2, Centos7.  All functioning as configured.  I have a few local accounts, several virtual addresses delivered to those accounts, and some domains relayed, the latter do not submit mail through this box.
>
> All local accounts send via TLS authentication on 587.  Currently I don't think I have any restrictions on what an outbound address can be.  I do have some aliases so I do not want to restrict to logon names only.  
>
> Is it possible to restrict outgoing mail to be from one of my "valid" local or virtual aliases?  And I want to restrict outbound from one address in particular.
>
> I looked here:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
> but if the answer is there I'd be grateful for some more help, I didn't get it.  On or off-list.
>
> Right now my submission section of master.cf I sbelow.  I tried adding something here as -o o smtpd_sender_restrictions but didn't get that right.
>
> submission   inet    n       -       n       -       -       smtpd
> ## subsequent indented lines override main.cf settings.
>   -o content_filter=
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_sasl_security_options=noanonymous
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o syslog_name=postfix-submission
>   -o milter_macro_daemon_name=ORIGINATING
>
> Happy to provide all the configs if needed.
>
>
>


The easiest way would be to add
  -o smtpd_sender_restrictions=reject_unlisted_sender


http://www.postfix.org/postconf.5.html#reject_unlisted_sender




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Restrict outgoing/submission to defined local or virtual users

techlist06
Just what I was hoping for, the easy button.  Thank you.

What about the one (valid) sender I want to prevent?  I've got a IMAP
account setup for spam reporting, I want to be sure no one who has access to
it sends anything from that account.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Restrict outgoing/submission to defined local or virtual users

Noel Jones-2
On 9/5/2017 3:39 PM, techlist06 wrote:

> Just what I was hoping for, the easy button.  Thank you.
>
> What about the one (valid) sender I want to prevent?  I've got a IMAP
> account setup for spam reporting, I want to be sure no one who has access to
> it sends anything from that account.
>
>
>
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
>



Use a check_sender_access map to reject that one sender.  You can't
use spaces in master.cf, so do something like:

main.cf:
submission_sender_restrictions = reject_unlisted_sender,
   check_sender_access inline:{ [hidden email]=REJECT }

master.cf:
...
submission ...
  -o smtpd_sender_restrictions=$submission_sender_restrictions

My example uses the inline: map type, which is great for simple
tables with few elements, but any postfix map type may be used.
http://www.postfix.org/DATABASE_README.html#types



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Restrict outgoing/submission to defined local or virtual users

techlist06
First time I've tried the inline map type.  And, I think the spaces may have
been what was hosing my earlier attempts.  Appreciate the pointer very much.
Will give this a go.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Restrict outgoing/submission to defined local or virtual users

Matus UHLAR - fantomas
In reply to this post by Noel Jones-2
>On 9/5/2017 2:48 PM, techlist06 wrote:
>> Is it possible to restrict outgoing mail to be from one of my "valid"
>> local or virtual aliases?  And I want to restrict outbound from one
>> address in particular.

On 05.09.17 15:25, Noel Jones wrote:
>The easiest way would be to add
>  -o smtpd_sender_restrictions=reject_unlisted_sender
>
>http://www.postfix.org/postconf.5.html#reject_unlisted_sender

why just outgoing? Are you silling to accept spam with fake from in your
domain?  Simply add reject_unlisted_sender to smtpd_sender_restrictions at
postfix level.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Reply | Threaded
Open this post in threaded view
|

RE: Restrict outgoing/submission to defined local or virtual users

techlist06
Matus:

>why just outgoing? Are you willing to accept spam with fake from in your
>domain?  

I am not willing.  Inbound is already restricted and functioning properly.  

That said, I migrated my configs from an older version of PF so now you made me worry about *how* it is restricted.

I have set at postfix level for local, virtual and relay users:
    local_recipient_maps = hash:/etc/postfix/local_recipient
    virtual_alias_maps = hash:/etc/postfix/virtual_users
    relay_recipient_maps = hash:/etc/postfix/relay_recipients

If the email isn't in one of those, it is rejected.

I *thought* it was those settings that are causing/accomplishing the inbound invalid address restricting.  No?  Fuzzy on this detail.

I will deploy reject_unlisted_sender for outbound checking.  I gather it will also consult local, virtual, and relay maps for what is "listed"?


Thanks.






Reply | Threaded
Open this post in threaded view
|

Re: Restrict outgoing/submission to defined local or virtual users

Matus UHLAR - fantomas
>Matus:
>
>>why just outgoing? Are you willing to accept spam with fake from in your
>>domain?

On 07.09.17 15:13, Scott Techlist wrote:

>I am not willing.  Inbound is already restricted and functioning properly.
>
>That said, I migrated my configs from an older version of PF so now you made me worry about *how* it is restricted.
>
>I have set at postfix level for local, virtual and relay users:
>    local_recipient_maps = hash:/etc/postfix/local_recipient
>    virtual_alias_maps = hash:/etc/postfix/virtual_users
>    relay_recipient_maps = hash:/etc/postfix/relay_recipients
>
>If the email isn't in one of those, it is rejected.
>
>I *thought* it was those settings that are causing/accomplishing the inbound invalid address restricting.  No?  Fuzzy on this detail.
>
>I will deploy reject_unlisted_sender for outbound checking.  I gather it will also consult local, virtual, and relay maps for what is "listed"?

I believe you must configure reject_unlisted_sender everywhere in order to
check sender address if it exists.  That's why I recommended you to do it
(and put it before all permit_* options).

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.