per-user recipient_restrictions?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

per-user recipient_restrictions?

Stefan Palme-2
Hi all,

I have something like this in my main.cf:

smtpd_recipient_restrictions =
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject

This is a mail server used only as outgoing SMTP server,
either for local hosts (which is only 127.0.0.1) and
a list of authenticated users.

Now I want a special authenticated user to be allowed to send
mails with an "unknown recipient domain". Is this possible?

(The reason for this strange requirement is, that this "user"
is a software product. This software delivers its mails via
the local SMTP server. When it tries to send emails to an invalid
domain, postfix should not reject this email during the internal
SMTP communication. Instead I want it to accept it and create
a bounce message to the original sender).

Any hints how to solve this?

Thanks and regards
-stefan-



Reply | Threaded
Open this post in threaded view
|

Re: per-user recipient_restrictions?

Jay Deiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Palme wrote:

> Hi all,
>
> I have something like this in my main.cf:
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject
>
> This is a mail server used only as outgoing SMTP server,
> either for local hosts (which is only 127.0.0.1) and
> a list of authenticated users.
>
> Now I want a special authenticated user to be allowed to send
> mails with an "unknown recipient domain". Is this possible?
>
> (The reason for this strange requirement is, that this "user"
> is a software product. This software delivers its mails via
> the local SMTP server. When it tries to send emails to an invalid
> domain, postfix should not reject this email during the internal
> SMTP communication. Instead I want it to accept it and create
> a bounce message to the original sender).
>
> Any hints how to solve this?

Well, you could always set up a separate smtpd instance in your
master.cf running on a different port with different
smtpd_recipient_restrictions as an option flag.

The real question here is why?  You are basically telling postfix to
relay to a non-existent domain, as far as it's concerned anyway.  About
the only way that postfix will do anything worthwhile with that message
is if you have a special transport_map set up.

J
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkaxRwACgkQQ0lr+ZVKSBgPjgCgkdSjksJw3G8dHA/L/B0LYIPu
1UQAn3cu2fBoYGSiD0gbaGBQbOxHVXbk
=Qane
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: per-user recipient_restrictions?

Barney Desmond
In reply to this post by Stefan Palme-2
Stefan Palme wrote:
> Now I want a special authenticated user to be allowed to send
> mails with an "unknown recipient domain". Is this possible?
>
> (The reason for this strange requirement is, that this "user"
> is a software product. This software delivers its mails via
> the local SMTP server. When it tries to send emails to an invalid
> domain, postfix should not reject this email during the internal
> SMTP communication. Instead I want it to accept it and create
> a bounce message to the original sender).


I can think of a few ways. If the software is running on the same
machine, you could add a check_sender_access table before the rejections
to permit it. You could move permit_sasl_authenticated higher, but
that's probably undesirable. A special instance of smtpd in master.cf,
as suggested, is also good.

There might be a "proper" way to do this, using the authentication
credentials at an earlier stage, but I can't claim to know.


signature.asc (258 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: per-user recipient_restrictions?

Wietse Venema
In reply to this post by Stefan Palme-2
Stefan Palme:

> Hi all,
>
> I have something like this in my main.cf:
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject
>
> This is a mail server used only as outgoing SMTP server,
> either for local hosts (which is only 127.0.0.1) and
> a list of authenticated users.
>
> Now I want a special authenticated user to be allowed to send
> mails with an "unknown recipient domain". Is this possible?

The simple approach is to put permit_mynetworks BEFORE the other
restrictions.

The ugly approach is to replace the above by:

/etc/postfix/main.cf:
    smtpd_client_restrictions =
        check_client_access pcre:/etc/postfix/client_access

    smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject

/etc/postfix/client_access:
    /^1\.2\.3\.4$/ dunno
    /./   reject_non_fqdn_sender, .., reject_unknown_recipient_domain

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: per-user recipient_restrictions?

Stefan Palme-2
On Wed, 2008-11-12 at 09:22 -0500, Wietse Venema wrote:

> Stefan Palme:
> > Hi all,
> >
> > I have something like this in my main.cf:
> >
> > smtpd_recipient_restrictions =
> > reject_non_fqdn_sender,
> > reject_non_fqdn_recipient,
> > reject_unknown_sender_domain,
> > reject_unknown_recipient_domain,
> > permit_mynetworks,
> > permit_sasl_authenticated,
> > reject
> >
> > This is a mail server used only as outgoing SMTP server,
> > either for local hosts (which is only 127.0.0.1) and
> > a list of authenticated users.
> >
> > Now I want a special authenticated user to be allowed to send
> > mails with an "unknown recipient domain". Is this possible?
>
> The simple approach is to put permit_mynetworks BEFORE the other
> restrictions.
>
> The ugly approach is to replace the above by:
>
> /etc/postfix/main.cf:
>     smtpd_client_restrictions =
> check_client_access pcre:/etc/postfix/client_access
>
>     smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject
>
> /etc/postfix/client_access:
>     /^1\.2\.3\.4$/ dunno
>     /./   reject_non_fqdn_sender, .., reject_unknown_recipient_domain
>

Thanks to all of you.

@Wietse: the main point is, that I don't want a certain CLIENT (=IP
address) to be allowed to send to invalid domains, but a certain USER
(identified by SASL-auth).
For all "normal" users the domain check should be enabled, only one
special user will be allowed to try to send to "invalid domains"...

Regards
-stefan-


Reply | Threaded
Open this post in threaded view
|

Re: per-user recipient_restrictions?

Victor Duchovni
On Wed, Nov 12, 2008 at 05:03:55PM +0100, Stefan Palme wrote:

> Wietse: the main point is, that I don't want a certain CLIENT (=IP
> address) to be allowed to send to invalid domains, but a certain USER
> (identified by SASL-auth).
> For all "normal" users the domain check should be enabled, only one
> special user will be allowed to try to send to "invalid domains"...

Postfix has no access tables for SASL users (but policy services can be
used for this if necessary). If the SASL user in question has a fixed
sender address, you can use reject_sender_login_mismatch to prevent
forgery of that address, and then you can use the sender address with
sender restrictions.

Otherwise you need a policy service.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: per-user recipient_restrictions?

Wietse Venema
In reply to this post by Stefan Palme-2
Stefan Palme:

> On Wed, 2008-11-12 at 09:22 -0500, Wietse Venema wrote:
> > Stefan Palme:
> > > Hi all,
> > >
> > > I have something like this in my main.cf:
> > >
> > > smtpd_recipient_restrictions =
> > > reject_non_fqdn_sender,
> > > reject_non_fqdn_recipient,
> > > reject_unknown_sender_domain,
> > > reject_unknown_recipient_domain,
> > > permit_mynetworks,
> > > permit_sasl_authenticated,
> > > reject
> > >
> > > This is a mail server used only as outgoing SMTP server,
> > > either for local hosts (which is only 127.0.0.1) and
> > > a list of authenticated users.
> > >
> > > Now I want a special authenticated user to be allowed to send
> > > mails with an "unknown recipient domain". Is this possible?
> >
> > The simple approach is to put permit_mynetworks BEFORE the other
> > restrictions.
> >
> > The ugly approach is to replace the above by:
> >
> > /etc/postfix/main.cf:
> >     smtpd_client_restrictions =
> > check_client_access pcre:/etc/postfix/client_access
> >
> >     smtpd_recipient_restrictions =
> > permit_mynetworks
> > permit_sasl_authenticated
> > reject
> >
> > /etc/postfix/client_access:
> >     /^1\.2\.3\.4$/ dunno
> >     /./   reject_non_fqdn_sender, .., reject_unknown_recipient_domain
> >
>
> Thanks to all of you.
>
> @Wietse: the main point is, that I don't want a certain CLIENT (=IP
> address) to be allowed to send to invalid domains, but a certain USER
> (identified by SASL-auth).
> For all "normal" users the domain check should be enabled, only one
> special user will be allowed to try to send to "invalid domains"...

If you know the SASL login, surely you also know the sender address.

        Wietse