Restriction classes with null sender

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Restriction classes with null sender

Brian Evans - Postfix List
I want a single account to only accept NDRs. Other email should be rejected.

Would the following work correctly?

smtpd_recipient_restrictions:
...
check_recipient_access hash:/etc/postfix/receieve_only
...

/etc/postfix/receieve_only:
[hidden email]   check_sender_access hash:/etc/postfix/ndr_senders


/etc/postfix/ndr_senders:

<> OK
* REJECT This mailbox is not available.



Brian

Reply | Threaded
Open this post in threaded view
|

Re: Restriction classes with null sender

Noel Jones-2
Brian Evans - Postfix List wrote:

> I want a single account to only accept NDRs. Other email should be
> rejected.
>
> Would the following work correctly?
>
> smtpd_recipient_restrictions:
> ...
> check_recipient_access hash:/etc/postfix/receieve_only
> ...
>
> /etc/postfix/receieve_only:
> [hidden email]   check_sender_access hash:/etc/postfix/ndr_senders
>
>
> /etc/postfix/ndr_senders:
>
> <> OK
> * REJECT This mailbox is not available.
>

Your logic is correct, but hash: maps don't support a wildcard
entry.  Use a regexp: or pcre: map type instead.
/^<>$/  OK
/^/  REJECT mailbox not available

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Restriction classes with null sender

Brian Evans - Postfix List
Noel Jones wrote:

> Brian Evans - Postfix List wrote:
>> I want a single account to only accept NDRs. Other email should be
>> rejected.
>>
>> Would the following work correctly?
>>
>> smtpd_recipient_restrictions:
>> ...
>> check_recipient_access hash:/etc/postfix/receieve_only
>> ...
>>
>> /etc/postfix/receieve_only:
>> [hidden email]   check_sender_access
>> hash:/etc/postfix/ndr_senders
>>
>>
>> /etc/postfix/ndr_senders:
>>
>> <> OK
>> * REJECT This mailbox is not available.
>>
>
> Your logic is correct, but hash: maps don't support a wildcard entry.
> Use a regexp: or pcre: map type instead.
> /^<>$/  OK
> /^/  REJECT mailbox not available
>
I've tried to implement this and it does not seem to work properly. Any
advice?

mail_version = 2.4.6

postconf -n:
alias_maps = hash:/etc/postfix/aliases,
hash:/var/lib/mailman/data/aliases,
proxy:mysql:/etc/postfix/mysql-virtual-aliases.cf
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = .maildir/
inet_interfaces = localhost, example.com
message_size_limit = 20480000
mydestination = $myhostname, localhost.$mydomain, $mydomain
myhostname = mx1.example.com
mynetworks = !192.168.123.4, 192.168.123.0/24, 127.0.0.0/8
myorigin = $mydomain
parent_domain_matches_subdomains =
proxy_interfaces = 69.48.33.25
smtpd_authorized_xclient_hosts = localhost
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
smtpd_milters = unix:/var/amavis/amavisd-milter.sock
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/receieve_only, check_recipient_access
hash:/etc/postfix/reject_old_redirect, reject_unlisted_recipient,
reject_non_fqdn_recipient, check_client_access
cidr:/etc/postfix/postfix-dnswl-permit, reject_unknown_client_hostname,
check_policy_service inet:127.0.0.1:12525, check_recipient_access
pcre:/etc/postfix/sender_access.pcre
smtpd_restriction_classes = ndr_only
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
pcre:/etc/postfix/sender_access.pcre, check_sender_access
hash:/etc/postfix/blacklisted_senders
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
swap_bangpath = no
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf


ndr_only = check_recipient_access hash:/etc/postfix/ndr_senders,reject

$ cat /etc/postfix/ndr_senders
<>      OK

$ cat /etc/postfix/receieve_only
[hidden email]   ndr_only

Log:
Aug 20 12:36:41 mx1 postfix/smtpd[7408]: NOQUEUE: reject: RCPT from
raven.securenet-server.net[207.45.186.82]: 554 5.7.1
<[hidden email]>: Recipient address rejected: Access denied;
from=<> to=<[hidden email]> proto=SMTP
helo=<raven.securenet-server.net>

Reply | Threaded
Open this post in threaded view
|

Re: Restriction classes with null sender

Noel Jones-2
Brian Evans - Postfix List wrote:

> Noel Jones wrote:
>> Brian Evans - Postfix List wrote:
>>> I want a single account to only accept NDRs. Other email should be
>>> rejected.
>>>
>>> Would the following work correctly?
>>>
>>> smtpd_recipient_restrictions:
>>> ...
>>> check_recipient_access hash:/etc/postfix/receieve_only
>>> ...
>>>
>>> /etc/postfix/receieve_only:
>>> [hidden email]   check_sender_access
>>> hash:/etc/postfix/ndr_senders
>>>
>>>
>>> /etc/postfix/ndr_senders:
>>>
>>> <> OK
>>> * REJECT This mailbox is not available.
>>>
>> Your logic is correct, but hash: maps don't support a wildcard entry.
>> Use a regexp: or pcre: map type instead.
>> /^<>$/  OK
>> /^/  REJECT mailbox not available
>>
> I've tried to implement this and it does not seem to work properly. Any
> advice?
>
> mail_version = 2.4.6
>
> postconf -n:
> alias_maps = hash:/etc/postfix/aliases,
> hash:/var/lib/mailman/data/aliases,
> proxy:mysql:/etc/postfix/mysql-virtual-aliases.cf
> append_dot_mydomain = no
> biff = no
> body_checks = regexp:/etc/postfix/body_checks
> bounce_size_limit = 1
> config_directory = /etc/postfix
> disable_vrfy_command = yes
> header_checks = pcre:/etc/postfix/header_checks
> home_mailbox = .maildir/
> inet_interfaces = localhost, example.com
> message_size_limit = 20480000
> mydestination = $myhostname, localhost.$mydomain, $mydomain
> myhostname = mx1.example.com
> mynetworks = !192.168.123.4, 192.168.123.0/24, 127.0.0.0/8
> myorigin = $mydomain
> parent_domain_matches_subdomains =
> proxy_interfaces = 69.48.33.25
> smtpd_authorized_xclient_hosts = localhost
> smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
> smtpd_milters = unix:/var/amavis/amavisd-milter.sock
> smtpd_recipient_restrictions = permit_mynetworks,
> reject_unauth_destination, check_recipient_access
> hash:/etc/postfix/receieve_only, check_recipient_access
> hash:/etc/postfix/reject_old_redirect, reject_unlisted_recipient,
> reject_non_fqdn_recipient, check_client_access
> cidr:/etc/postfix/postfix-dnswl-permit, reject_unknown_client_hostname,
> check_policy_service inet:127.0.0.1:12525, check_recipient_access
> pcre:/etc/postfix/sender_access.pcre
> smtpd_restriction_classes = ndr_only
> smtpd_sender_restrictions = permit_mynetworks, check_sender_access
> pcre:/etc/postfix/sender_access.pcre, check_sender_access
> hash:/etc/postfix/blacklisted_senders
> smtpd_tls_CAfile = /etc/postfix/cacert.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/newcert.pem
> smtpd_tls_key_file = /etc/postfix/newkey.pem
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
> swap_bangpath = no
> transport_maps = hash:/etc/postfix/transport
> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf
>
>
> ndr_only = check_recipient_access hash:/etc/postfix/ndr_senders,reject

That needs to be check_sender_access

--
Noel Jones



>
> $ cat /etc/postfix/ndr_senders
> <>      OK
>
> $ cat /etc/postfix/receieve_only
> [hidden email]   ndr_only
>
> Log:
> Aug 20 12:36:41 mx1 postfix/smtpd[7408]: NOQUEUE: reject: RCPT from
> raven.securenet-server.net[207.45.186.82]: 554 5.7.1
> <[hidden email]>: Recipient address rejected: Access denied;
> from=<> to=<[hidden email]> proto=SMTP
> helo=<raven.securenet-server.net>
>

Reply | Threaded
Open this post in threaded view
|

Re: Restriction classes with null sender

mouss-2
In reply to this post by Brian Evans - Postfix List
Brian Evans - Postfix List wrote:
> [snip]
>
> ndr_only = check_recipient_access hash:/etc/postfix/ndr_senders,reject
>

if you want to check the recipient, rename your map.
if you want to check the sender, rename your check.

> $ cat /etc/postfix/ndr_senders
> <>      OK

This will never match a recipient.

>
> $ cat /etc/postfix/receieve_only
> [hidden email]   ndr_only
>
> Log:
> Aug 20 12:36:41 mx1 postfix/smtpd[7408]: NOQUEUE: reject: RCPT from
> raven.securenet-server.net[207.45.186.82]: 554 5.7.1
> <[hidden email]>: Recipient address rejected: Access denied;
> from=<> to=<[hidden email]> proto=SMTP
> helo=<raven.securenet-server.net>

[hidden email] is not listed in ndr_senders, so it doesn't get an OK.

Reply | Threaded
Open this post in threaded view
|

Re: Restriction classes with null sender

Brian Evans - Postfix List
mouss wrote:

> Brian Evans - Postfix List wrote:
>> [snip]
>>
>> ndr_only = check_recipient_access hash:/etc/postfix/ndr_senders,reject
>>
>
> if you want to check the recipient, rename your map.
> if you want to check the sender, rename your check.
>
>> $ cat /etc/postfix/ndr_senders
>> <>      OK
>
> This will never match a recipient.
>
>>
>> $ cat /etc/postfix/receieve_only
>> [hidden email]   ndr_only
>>
>> Log:
>> Aug 20 12:36:41 mx1 postfix/smtpd[7408]: NOQUEUE: reject: RCPT from
>> raven.securenet-server.net[207.45.186.82]: 554 5.7.1
>> <[hidden email]>: Recipient address rejected: Access denied;
>> from=<> to=<[hidden email]> proto=SMTP
>> helo=<raven.securenet-server.net>
>
> [hidden email] is not listed in ndr_senders, so it doesn't get
> an OK.
>

Thanks Noel and mouss.
Answers are always staring me in the face and it takes someone else to
make sense of it.


Brian