UCE and restriction classes

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

UCE and restriction classes

Sam Przyswa
Hi all,

I succeed to limit some local users to send mail only on my local
domain, but I would like to limit the mail received ONLY from the local
users too for these users,  no mails from internet (others domains).

There is my actual Postfix config:

/etc/postfix/main.cf:
...
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_sender_domain
        permit
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
...

/etc/postfix/restricted_senders:
...
[hidden email]                addr_class_1
[hidden email]       addr_class_1
[hidden email]        addr_class_1
[hidden email]       addr_class_1
...

/etc/postfix/local_domains:
mjc-idf.asso.fr           OK
gw.mjc-idf.asso.fr     OK

/etc/postfix/addr_class_1:
mjc-idf.asso.fr          OK

--------------------------------------

What I have to add to restrict the received mail only from local domain
for these users ?

Thanks in advance for your help.

Sam.



--
Sam Przyswa - Chef de projet
Email: [hidden email]
Arial Concept - Intégrateur Internet
36, rue de Turin - 75008 - Paris - France
Tel: 01 40 54 86 04 - Fax: 01 40 54 83 01
Fax privé: 09 57 12 27 22
Skype ID: arial-concept
Web: http://www.arial-concept.com 


--
Ce message a été vérifié par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a été trouvé.
For all your IT requirements visit: http://www.transtec.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: UCE and restriction classes

mouss-2
Sam Przyswa wrote:

> Hi all,
>
> I succeed to limit some local users to send mail only on my local
> domain, but I would like to limit the mail received ONLY from the local
> users too for these users,  no mails from internet (others domains).
>
> There is my actual Postfix config:
>
> /etc/postfix/main.cf:
> ...
> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders

this is wrong. see below.

>        permit_mynetworks
>        reject_unauth_destination
>        reject_unknown_sender_domain
>        permit
> smtpd_restriction_classes = local_only
> local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
> ...
>
> /etc/postfix/restricted_senders:
> ...
> [hidden email]                addr_class_1
> [hidden email]       addr_class_1
> [hidden email]        addr_class_1
> [hidden email]       addr_class_1
> ...
>
> /etc/postfix/local_domains:
> mjc-idf.asso.fr           OK
> gw.mjc-idf.asso.fr     OK
>
> /etc/postfix/addr_class_1:
> mjc-idf.asso.fr          OK
>


now, you are an open relay. any attackers who sends you mail from an
address @mjc-idf... can use your system as a relay.

do never ever return OK in smtpd_recipient_restrictions before
reject_unauth_destination based on information that the sender can
forge. this include sender and helo.

use the following instead

smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/restricted_senders

smtpd_recipient_restrictions =
         permit_mynetworks
         reject_unauth_destination
         reject_unknown_sender_domain

an OK in smtpd_sender_restrictions will not skip
smtpd_recipient_restrictions, so no open relay.

> --------------------------------------
>
> What I have to add to restrict the received mail only from local domain
> for these users ?
>

not clear what you mean by "from local domain"? ("domain" is ambiguous:
is it the domain of the IP? is it the domain in the sender address?).

if you only want mail from mynetworks, simply do

smtpd_recipient_restrictions =
        permit_mynetworks
        reject

if you want something else, please explain the real problem you are
trying to solve (explain your setup). if you feel more confortable with
french, contact me offlist and I'll summarize here.


Reply | Threaded
Open this post in threaded view
|

Re: UCE and restriction classes

Sam Przyswa


mouss a écrit :

> Sam Przyswa wrote:
>> Hi all,
>>
>> I succeed to limit some local users to send mail only on my local
>> domain, but I would like to limit the mail received ONLY from the
>> local users too for these users,  no mails from internet (others
>> domains).
>>
>> There is my actual Postfix config:
>>
>> /etc/postfix/main.cf:
>> ...
>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
>
> this is wrong. see below.
>
>>        permit_mynetworks
>>        reject_unauth_destination
>>        reject_unknown_sender_domain
>>        permit
>> smtpd_restriction_classes = local_only
>> local_only = check_recipient_access hash:/etc/postfix/local_domains,
>> reject
>> ...
>>
>> /etc/postfix/restricted_senders:
>> ...
>> [hidden email]                addr_class_1
>> [hidden email]       addr_class_1
>> [hidden email]        addr_class_1
>> [hidden email]       addr_class_1
>> ...
>>
>> /etc/postfix/local_domains:
>> mjc-idf.asso.fr           OK
>> gw.mjc-idf.asso.fr     OK
>>
>> /etc/postfix/addr_class_1:
>> mjc-idf.asso.fr          OK
>>
>
>
> now, you are an open relay. any attackers who sends you mail from an
> address @mjc-idf... can use your system as a relay.
>
> do never ever return OK in smtpd_recipient_restrictions before
> reject_unauth_destination based on information that the sender can
> forge. this include sender and helo.
>
> use the following instead
>
> smtpd_sender_restrictions =
>     check_sender_access hash:/etc/postfix/restricted_senders
>
> smtpd_recipient_restrictions =
>         permit_mynetworks
>         reject_unauth_destination
>         reject_unknown_sender_domain
>
> an OK in smtpd_sender_restrictions will not skip
> smtpd_recipient_restrictions, so no open relay.    

Argh #@!

Thanks a lot !


>
>> --------------------------------------
>>
>> What I have to add to restrict the received mail only from local
>> domain for these users ?
>>
>
> not clear what you mean by "from local domain"? ("domain" is
> ambiguous: is it the domain of the IP? is it the domain in the sender
> address?).

I need for the users below (in restricted_senders) that don't receive
mails from internet, from an other domain than mjc-idf.asso.fr and only
from $mynetworks.

> if you only want mail from mynetworks, simply do
>
> smtpd_recipient_restrictions =
>     permit_mynetworks
>     reject
>

Yes but for all others users I have to received mails from internet,
local domain and $mynetworks.

Thanks again.

Sam.




--
Ce message a été vérifié par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a été trouvé.
For all your IT requirements visit: http://www.transtec.co.uk