Very selective relay

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Very selective relay

Marek Kozlowski-2
:-)
I've been asked a very strange question. According to the best of my
knowledge there is no setting but maybe I'm wrong:

Is it possible the define a very selective relay according to the
following pseudo code:

/* a, b and c are set to some single values */
if (client's_IP==a)
     if (MAIL_FROM==b)
         if (RCPT_TO==c)
             then relay=OK
relay=reject

Best regards,
Marek


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Very selective relay

Wietse Venema
Marek Kozlowski:

> :-)
> I've been asked a very strange question. According to the best of my
> knowledge there is no setting but maybe I'm wrong:
>
> Is it possible the define a very selective relay according to the
> following pseudo code:
>
> /* a, b and c are set to some single values */
> if (client's_IP==a)
>      if (MAIL_FROM==b)
>          if (RCPT_TO==c)
>              then relay=OK
> relay=reject

www.postfwd.org

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Very selective relay

Viktor Dukhovni
In reply to this post by Marek Kozlowski-2
On Fri, Sep 18, 2020 at 11:50:02AM +0200, Marek Kozlowski wrote:

> I've been asked a very strange question. According to the best of my
> knowledge there is no setting but maybe I'm wrong:
>
> Is it possible the define a very selective relay according to the
> following pseudo code:
>
> /* a, b and c are set to some single values */
> if (client's_IP==a)

    smtpd_client_restrictions =
        permit_auth_destination,
        check_client_access inline:{ a=OK },
        reject

>      if (MAIL_FROM==b)

    smtpd_sender_restrictions =
        permit_auth_destination,
        check_sender_access inline:{ b=OK },
        reject

>          if (RCPT_TO==c)

    smtpd_recipient_restrictions =
        permit_auth_destination,
        check_recipient_access inline:{ c=OK },
        reject

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Very selective relay

Marek Kozlowski-2
:-)

On 9/18/20 6:09 PM, Viktor Dukhovni wrote:

> On Fri, Sep 18, 2020 at 11:50:02AM +0200, Marek Kozlowski wrote:
>
>> I've been asked a very strange question. According to the best of my
>> knowledge there is no setting but maybe I'm wrong:
>>
>> Is it possible the define a very selective relay according to the
>> following pseudo code:
>>
>> /* a, b and c are set to some single values */
>> if (client's_IP==a)
>
>      smtpd_client_restrictions =
>          permit_auth_destination,
>          check_client_access inline:{ a=OK },
>          reject
>
>>       if (MAIL_FROM==b)
>
>      smtpd_sender_restrictions =
>          permit_auth_destination,
>          check_sender_access inline:{ b=OK },
>          reject
>
>>           if (RCPT_TO==c)
>
>      smtpd_recipient_restrictions =
>          permit_auth_destination,
>          check_recipient_access inline:{ c=OK },
>          reject
>
Are you quite sure that 'permit_auth_destination' is allowed in
'smtpd_client_restrictions' and 'smtpd_sender_restrictions'??

Even if so *I'm in doubt) are sure it would work as and 'AND'?

if (client's_IP==a)
      if (MAIL_FROM==b)
          if (RCPT_TO==c)
              then relay=OK

(relay if and only if all conditions are met)

?

Seems very suspiciously strange..

Best regards,
Marek


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Very selective relay

Viktor Dukhovni
On Tue, Sep 22, 2020 at 04:19:41PM +0200, Marek Kozlowski wrote:

> On 9/18/20 6:09 PM, Viktor Dukhovni wrote:

> >> I've been asked a very strange question. According to the best of my
> >> knowledge there is no setting but maybe I'm wrong:
> >>
> >> Is it possible the define a very selective relay according to the
> >> following pseudo code:
> >>
> >> /* a, b and c are set to some single values */
> >> if (client's_IP==a)
> >
> >      smtpd_client_restrictions =
> >          permit_auth_destination,
> >          check_client_access inline:{ a=OK },
> >          reject
> >
> >> if (MAIL_FROM==b)
> >
> >      smtpd_sender_restrictions =
> >          permit_auth_destination,
> >          check_sender_access inline:{ b=OK },
> >          reject
> >
> >> if (RCPT_TO==c)
> >
> >      smtpd_recipient_restrictions =
> >          permit_auth_destination,
> >          check_recipient_access inline:{ c=OK },
> >          reject
>
> Are you quite sure that 'permit_auth_destination' is allowed in
> 'smtpd_client_restrictions' and 'smtpd_sender_restrictions'??

Would I have posted the above answer if I weren't quite sure?  You just
need to not inadvertently set "smtpd_delay_reject = no".

> Even if so *I'm in doubt) are sure it would work as and 'AND'?

Your doubt is unwarranted.  For a recipient to be accepted all the
top-level built-in restriction classes are evaluated in turn and *all*
must pass (not reject) the recipient.

> if (client's_IP==a)
>       if (MAIL_FROM==b)
>           if (RCPT_TO==c)
>               then relay=OK
>
> (relay if and only if all conditions are met)

That's how it works.

> Seems very suspiciously strange..

Your suspicion is oddly unexpected.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Very selective relay

Antonio Leding
In reply to this post by Viktor Dukhovni

Hi Viktor,

I never used this but am now curious — in reading the docs on this, it looks like the proper content in the “{ }” fields would be the IP or FQDN to\from one wishes to restrict traffic — do I have this correct?

On 18 Sep 2020, at 9:09, Viktor Dukhovni wrote:

On Fri, Sep 18, 2020 at 11:50:02AM +0200, Marek Kozlowski wrote:

I've been asked a very strange question. According to the best of my
knowledge there is no setting but maybe I'm wrong:

Is it possible the define a very selective relay according to the
following pseudo code:

/* a, b and c are set to some single values */
if (client's_IP==a)

smtpd_client_restrictions =
permit_auth_destination,
check_client_access inline:{ a=OK },
reject

if (MAIL_FROM==b)

smtpd_sender_restrictions =
permit_auth_destination,
check_sender_access inline:{ b=OK },
reject

if (RCPT_TO==c)

smtpd_recipient_restrictions =
permit_auth_destination,
check_recipient_access inline:{ c=OK },
reject

--
Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Very selective relay

Viktor Dukhovni
On Tue, Sep 22, 2020 at 07:20:00PM +0000, Antonio Leding wrote:

> I never used this but am now curious — in reading the docs on this, it
> looks like the proper content in the “{ }” fields would be the IP or
> FQDN to\from one wishes to restrict traffic — do I have this correct?

The "inline:" lookup table is just the same a all the other lookup
tables in Postfix, Postfix performs a lookup for a particular key,
and the table returns any associated value.

What key/value pairs you populate the table with depends on how
you're going to use them (virtual(5), access(5), transport(5), ...)
not on the table type.  Pretend "inline:" is just a file to be
indexed with "cdb" or "lmdb", but all the keys and values are crammed
into a single comma-separated line, as "key=value" or "{ key = value }"
(if you have a wide-screen monitor :-).

--
    Viktor.