Restriction class not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Restriction class not working

Márcio Merlone
Greetings,

I have a fairly simple setup for my mail server running Ubuntu 16.04. I
have to restrict some internal aliases like [hidden email] to only some
internal senders but not all, so mynetworks is not the way to go.

I got the example from
http://www.postfix.org/RESTRICTION_CLASS_README.html as follows, but it
is not working, could someone please help?

postconf -n (formatted the restrictions for clarity):
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/header_checks.regexp
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 31457280
mydestination =
myhostname = netuno.domain.tld
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 (...)
myorigin = /etc/mailname
proxy_interfaces = a.b.c.d
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = regexp:/etc/postfix/sender_maps.regexp,
ldap:/etc/postfix/ldapowner.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/imap.domain.tld/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/imap.domain.tld/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
tls_preempt_cipherlist = yes
virtual_alias_maps = hash:/etc/postfix/aliases,
ldap:/etc/postfix/ldapaliases.cf, regexp:/etc/postfix/aliases.regexp
virtual_gid_maps = static:3000
virtual_mailbox_base = /mnt/maildirs/
virtual_mailbox_domains = ldap:/etc/postfix/ldaptransport.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldaprcpt.cf
virtual_minimum_uid = 100
virtual_transport = dovecot
virtual_uid_maps = static:3000
smtpd_relay_restrictions =
     permit_sasl_authenticated,
     defer_unauth_destination
smtpd_sender_restrictions =
     reject_non_fqdn_sender
smtpd_recipient_restrictions =
     check_recipient_access hash:/etc/postfix/protected_destinations,
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_destination
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject


protected_destinations:
[hidden email] insiders_only

insiders:
[hidden email] OK

With this, a user like [hidden email] is able to send to
[hidden email], which is not the desired behavior.

Both protected_destinations and insiders where properly postmap'd and
postfix restarted. Yet, it does not work. If you have any other hint
about this config, please share it. :)

Thanks, best regards.

--
Marcio Merlone
Reply | Threaded
Open this post in threaded view
|

Re: Restriction class not working

Viktor Dukhovni

> On May 19, 2017, at 1:52 PM, Marcio Merlone <[hidden email]> wrote:
>
> smtpd_relay_restrictions =
>    permit_sasl_authenticated,
>    defer_unauth_destination
> smtpd_sender_restrictions =
>    reject_non_fqdn_sender
> smtpd_recipient_restrictions =
>    check_recipient_access hash:/etc/postfix/protected_destinations,
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_unauth_destination
> smtpd_restriction_classes = insiders_only
> insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
>
>
> protected_destinations:
> [hidden email] insiders_only
>
> insiders:
> [hidden email] OK
>
> With this, a user like [hidden email] is able to send to [hidden email], which is not the desired behavior.

Logs?  Did the mail arrive via SMTP?  On what port?

Possible problems:

        * Mail is sent via sendmail(1) and not SMTP
        * Mail is sent via the submission port 587, where the restrictions
          are different
        * Mail is not sent via this Postfix instance
        ...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Restriction class not working

Márcio Merlone
Em 19/05/2017 15:30, Viktor Dukhovni escreveu:
Mail is sent via the submission port 587, where the restrictions
	  are different

Thanks, this is it. So obvious.... I always forget this. Would be nice to have settings from main.cf working for both ports, 25 and 587, without messing with master.cf.

Best regards.

--
Marcio Merlone
Reply | Threaded
Open this post in threaded view
|

Re: Restriction class not working

Viktor Dukhovni

> On May 19, 2017, at 3:20 PM, Marcio Merlone <[hidden email]> wrote:
>
>> Mail is sent via the submission port 587, where the restrictions
>>  are different
>>
>
> Thanks, this is it. So obvious.... I always forget this. Would be nice to have settings from main.cf working for both ports, 25 and 587, without messing with master.cf.

Not messing with master.cf is the suggested approach in the stock upstream Postfix
master.cf file, see:

   https://github.com/vdukhovni/postfix/blob/master/postfix/conf/master.cf#L17p

All the actual overrides then end up in main.cf:


        mua_client_restrictions = ...
        mua_helo_restrictions = ...
        mua_sender_restrictions = ...
        ...

--
        Viktor.