check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Stefan Bauer-2
Hi,

postfix is configured as relay server. Other systems relay with postfix. Here i want to allow for a specific group of hosts, when they use a specific mail from address only a few specific destination domains. Other hosts should not be bothered. This is only a need to limit a group of hosts to not accidentally send out mails to other domains.

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/benachrichtigung
smtpd_restriction_classes = benachrichtigung
benachrichtigung = check_recipient_access hash:/etc/postfix/erlaubt, reject

/etc/postfix/benachrichtigung
[hidden email] benachrichtigung

/etc/postfix/erlaubt
microsoft.com OK
aol.com OK
yahoo.com OK

That works and only allows mails with mail from: [hidden email] to above domains. How can i additionally say - and only limit sending of mails to this 3 domains, if smtp connection is from 3 local IPs? (10.8.1.1-3) ?

I can not think of a way to achieve this.

thank you.

Stefan
Reply | Threaded
Open this post in threaded view
|

RE: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Fazzina, Angelo

Hi, sounds like you want

 

If from ( [hidden email]) and from (10.8.1.1-3)

Then allow

Else REJECT

 

Sounds like you would need a regex expression to catch  two conditions and then act on it.

 

Not sure postfix can store result of first check and not act on it and make the second check and then act on the email ?

My guess is no…..?

 

Maybe someone more savvy knows how to do this.

Good Luck.

 

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] <[hidden email]> On Behalf Of Stefan Bauer
Sent: Tuesday, May 15, 2018 11:39 AM
To: [hidden email]
Subject: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

 

Hi,

postfix is configured as relay server. Other systems relay with postfix. Here i want to allow for a specific group of hosts, when they use a specific mail from address only a few specific destination domains. Other hosts should not be bothered. This is only a need to limit a group of hosts to not accidentally send out mails to other domains.

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/benachrichtigung
smtpd_restriction_classes = benachrichtigung
benachrichtigung = check_recipient_access hash:/etc/postfix/erlaubt, reject

/etc/postfix/benachrichtigung
[hidden email] benachrichtigung

/etc/postfix/erlaubt
microsoft.com OK
aol.com OK
yahoo.com OK

That works and only allows mails with mail from: [hidden email] to above domains. How can i additionally say - and only limit sending of mails to this 3 domains, if smtp connection is from 3 local IPs? (10.8.1.1-3) ?

I can not think of a way to achieve this.

thank you.

Stefan

Reply | Threaded
Open this post in threaded view
|

Re: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Viktor Dukhovni
In reply to this post by Stefan Bauer-2


> On May 15, 2018, at 11:38 AM, Stefan Bauer <[hidden email]> wrote:
>
> I can not think of a way to achieve this.

It is unclear what combination of criteria you want to use.
What naïvely makes sense to me is that the client hosts in
question are to be restricted to a particular sender address
and to particular recipient domains.  If so:

main.cf:
  cidr = cidr:${config_directory}/
  texthash = texthash:${config_directory}/
  smtpd_client_restrictions = check_client_access ${cidr}client.cidr
  smtpd_restriction_classes = restricted_sender, restricted_rcpt
  restricted_sender = check_sender_access ${texthash}restricted-sender
  restricted_rcpt = check_recipient_access ${texthash}restricted-rcpt

client.cidr:
  192.0.2.1   restricted_sender

restricted-sender:
  [hidden email]  restricted_rcpt, reject

restricted-rcpt:
  example.org  OK
  example.net  OK
  example.edu  OK

Restriction classes can nest.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Jan P. Kessler
In reply to this post by Stefan Bauer-2

> postfix is configured as relay server. Other systems relay with
> postfix. Here i want to allow for a specific group of hosts, when they
> use a specific mail from address only a few specific destination
> domains. Other hosts should not be bothered. This is only a need to
> limit a group of hosts to not accidentally send out mails to other
> domains.
>

Restriction classes get very confusing with 3 or more criteria. Take a
look at the policy delegation protocol at
http://www.postfix.org/SMTPD_POLICY_README.html or use a service like
postfwd (http://postfwd.org). In your case you would create a rule like

id=ALLOW01
    client_address = 192.168.1.0/24
    sender==[hidden email]
    recipient_domain==somewhere.remote
    action=permit

id=REJECT01
    client_address = 192.168.1.0/24
    action=REJECT not allowed

Reply | Threaded
Open this post in threaded view
|

Re: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Stefan Bauer-2
Sorry for beeing unclear:

my criterias are if (from 10.8.1.1-3 and mail from: benachrichtigung@) then
only allow rcpt to:   example.org, example.net, example.edu)

If from 10.8.1.1-3 and mail from anything else, no limitation should take place.

2018-05-16 0:14 GMT+02:00 Jan P. Kessler <[hidden email]>:

postfix is configured as relay server. Other systems relay with postfix. Here i want to allow for a specific group of hosts, when they use a specific mail from address only a few specific destination domains. Other hosts should not be bothered. This is only a need to limit a group of hosts to not accidentally send out mails to other domains.


Restriction classes get very confusing with 3 or more criteria. Take a look at the policy delegation protocol at http://www.postfix.org/SMTPD_POLICY_README.html or use a service like postfwd (http://postfwd.org). In your case you would create a rule like

id=ALLOW01
   client_address = 192.168.1.0/24
   sender==[hidden email]
   recipient_domain==somewhere.remote
   action=permit

id=REJECT01
   client_address = 192.168.1.0/24
   action=REJECT not allowed


Reply | Threaded
Open this post in threaded view
|

Re: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Stefan Bauer-2
In reply to this post by Viktor Dukhovni
That works. thank you very much guys for your help!

2018-05-15 18:10 GMT+02:00 Viktor Dukhovni <[hidden email]>:


> On May 15, 2018, at 11:38 AM, Stefan Bauer <[hidden email]> wrote:
>
> I can not think of a way to achieve this.

It is unclear what combination of criteria you want to use.
What naïvely makes sense to me is that the client hosts in
question are to be restricted to a particular sender address
and to particular recipient domains.  If so:

main.cf:
  cidr = cidr:${config_directory}/
  texthash = texthash:${config_directory}/
  smtpd_client_restrictions = check_client_access ${cidr}client.cidr
  smtpd_restriction_classes = restricted_sender, restricted_rcpt
  restricted_sender = check_sender_access ${texthash}restricted-sender
  restricted_rcpt = check_recipient_access ${texthash}restricted-rcpt

client.cidr:
  192.0.2.1   restricted_sender

restricted-sender:
  [hidden email]  restricted_rcpt, reject

restricted-rcpt:
  example.org  OK
  example.net  OK
  example.edu  OK

Restriction classes can nest.

--
        Viktor.