SMTP access restriction lists

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SMTP access restriction lists

rog7993
Hello,

I intend to protect some internal email distribution lists in a way,
which is described here:

   http://www.postfix.org/RESTRICTION_CLASS_README.html

I would need to add "check_recipient_access ..." to the parameter
"smtpd_recipient_restrictions". The actual value of this parameter in
main.cf is:

smtpd_recipient_restrictions =
     permit_mynetworks
     reject_unauth_destination

"smtpd_relay_restrictions" is not explicitly defined in main.cf. But it
seems, that it has this default value (output from postconf):

smtpd_relay_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     defer_unauth_destination

It seems to me, that this configuration is somewhat redundant. I assume,
this would be a better configuration:

smtpd_relay_restrictions =
     permit_mynetworks
     reject_unauth_destination

smtpd_recipient_restrictions =
     check_recipient_access hash:/etc/postfix/access

Am I right?

Regards,
Ingo
Reply | Threaded
Open this post in threaded view
|

Re: SMTP access restriction lists

Noel Jones-2
On 7/12/2018 12:29 PM, [hidden email] wrote:

> Hello,
>
> I intend to protect some internal email distribution lists in a way,
> which is described here:
>
>   http://www.postfix.org/RESTRICTION_CLASS_README.html
>
> I would need to add "check_recipient_access ..." to the parameter
> "smtpd_recipient_restrictions". The actual value of this parameter
> in main.cf is:
>
> smtpd_recipient_restrictions =
>     permit_mynetworks
>     reject_unauth_destination
>
> "smtpd_relay_restrictions" is not explicitly defined in main.cf. But
> it seems, that it has this default value (output from postconf):
>
> smtpd_relay_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     defer_unauth_destination
>
> It seems to me, that this configuration is somewhat redundant. I
> assume, this would be a better configuration:
>
> smtpd_relay_restrictions =
>     permit_mynetworks
>     reject_unauth_destination
>
> smtpd_recipient_restrictions =
>     check_recipient_access hash:/etc/postfix/access
>
> Am I right?
>
> Regards,
> Ingo


Yes, your simplified settings are fine.

The reason for the seemingly redundant default settings: before the
invention of smtpd_relay_restrictions all relay restrictions were
expected to be in smtpd_recipient_restrictions.  Some people with
complicated recipient spam access controls were inadvertently
creating open relays, so the developers added
smtpd_relay_restrictions as a place dedicated to *only* relay
checks, with a safe default.

http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: SMTP access restriction lists

rog7993
Am 12.07.2018 um 21:19 schrieb Noel Jones:
> Yes, your simplified settings are fine.

Thank you.

One last question. In the following configuration the file
/etc/postfix/access contains the email addresses which should not be
accessible from outside:

smtpd_relay_restrictions =
     permit_mynetworks
     reject_unauth_destination

smtpd_recipient_restrictions =
     check_recipient_access hash:/etc/postfix/access

/etc/postfix/access:
     [hidden email]   permit_mynetworks,reject
     [hidden email] permit_mynetworks,reject

What is the default action (permit or reject) for local email addresses
which are not listed in this file? I assume, permit. Is this correct?

Ingo
Reply | Threaded
Open this post in threaded view
|

Re: SMTP access restriction lists

Noel Jones-2
On 7/12/2018 4:18 PM, [hidden email] wrote:

> One last question. In the following configuration the file
> /etc/postfix/access contains the email addresses which should not be
> accessible from outside:
>
> smtpd_relay_restrictions =
>     permit_mynetworks
>     reject_unauth_destination
>
> smtpd_recipient_restrictions =
>     check_recipient_access hash:/etc/postfix/access
>
> /etc/postfix/access:
>     [hidden email]   permit_mynetworks,reject
>     [hidden email] permit_mynetworks,reject
>
> What is the default action (permit or reject) for local email
> addresses which are not listed in this file? I assume, permit. Is
> this correct?
>
> Ingo


Yes, local recipients are by default accepted.
http://www.postfix.org/ADDRESS_CLASS_README.html



  -- Noel Jones