smtp_relay_restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

smtp_relay_restrictions

John Allen

I am trying to work out what parameters to add to smtpd_relay_restrictions, both in main.cf and master.cf.

  1. We do not allow relaying by any means!
  2. In-house users must be registered, use our domains and port 587 (submission) to send.
    I use check_sender_access with a table in the form "example.com  permit_sasl_authenticated, reject" to enforce these rules (thanks to a Sebastian Nielsen for the idea) in the submission section of master.cf.
  3. We accept mail from the rest of the world on port 25 (smtp).
Currently in main.cf I have reject_unauth_destination as the only parameter of smtpd_relay_restrictions.

In master.cf I have had to add permit_sasl_authenticated, reject to the smtpd_relay_restrictions, this seems to be odd as I am using a more "restrictive" version of this in recipient_ restrictions. If I leave it blank/unset all mail on 587 gets rejected with "An error occurred while sending mail. The mail server responded:  5.7.1 [hidden email]: Recipient address rejected: Access denied.  Please check the message recipient [hidden email] and try again.

What would be a better set of  parameter for both main.cf and master.cf.


=======main.cf========
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4, ipv6
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
    bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 bl.spamcop.net
    dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
    list.dnswl.org=127.[0..255].[0..255].0*-2
    list.dnswl.org=127.[0..255].[0..255].1*-3
    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_helo_required = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_use_tls = $smtpd_use_tls
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS,
    kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
    reject_rbl_client zen.spamhaus.org, reject_rbl_client
    b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net,
    reject_rbl_client bl.ipv6.spameatingmonkey.net, reject_rbl_client
    dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = reject_multi_recipient_bounce,
    reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname, check_helo_access
    pcre:/etc/postfix/maps/helo_checks.pcre
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
    reject_unknown_recipient_domain, check_recipient_access
    pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
    hash:/etc/postfix/maps/recipient_checks, check_policy_service
    inet:127.0.0.1:10023
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = reject_non_fqdn_sender,
    reject_unknown_sender_domain, check_sender_access
    hash:/etc/postfix/maps/sender_checks
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
    proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
    proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp

=======main.cf========

smtp       inet  n       -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
    -o cleanup_service_name=pre-cleanup
pickup     fifo  n       -       n       60      1       pickup
    -o cleanup_service_name=pre-cleanup
submission inet  n       -       n       -       30      smtpd
    -o content_filter=smtp-amavis:[127.0.0.1]:10026
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/dovecot-auth
    -o smtpd_sasl_local_domain=$mydomain
    -o broken_sasl_auth_clients=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_etrn_restrictions=reject
    -o smtpd_helo_restrictions=
    -o {smtpd_recipient_restrictions=check_sender_access hash:/etc/postfix/maps/submission_access}
    -o {smtpd_relay_restrictions=permit_sasl_authenticated, reject}
    -o smtpd_sender_restrictions=
    -o smtpd_client_connection_count_limit=15
    -o smtpd_client_connection_rate_limit=80
    -o smtpd_delay_reject=yes
    -o cleanup_service_name=pre-cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
    -o smtp_bind_address=74.116.186.178
    -o smtp_bind_address6=2606:6d00:100:4301::1:200
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
smtp-amavis unix -       -       n       -       4       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o content_filter=
    -o mynetworks=127.0.0.0/8
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_relay_restrictions=permit_mynetworks,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o smtpd_tls_security_level=none
    -o local_recipient_maps=
    -o relay_recipient_maps=
pre-cleanup unix n       -       n       -       0       cleanup
    -o virtual_alias_maps=
cleanup    unix  n       -       n       -       0       cleanup
    -o mime_header_checks=
    -o nested_header_checks=
    -o header_checks=
    -o body_checks=
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy







Reply | Threaded
Open this post in threaded view
|

Re: smtp_relay_restrictions

John Allen

follow-up:

If I put anything other than, at a minimum, permit_sasl_authenticated I get the following error message -

Apr  7 08:53:52 bilbo postfix/submission/smtpd[15279]: fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains


On 2016-04-07 8:44 AM, John Allen wrote:

I am trying to work out what parameters to add to smtpd_relay_restrictions, both in main.cf and master.cf.

  1. We do not allow relaying by any means!
  2. In-house users must be registered, use our domains and port 587 (submission) to send.
    I use check_sender_access with a table in the form "example.com  permit_sasl_authenticated, reject" to enforce these rules (thanks to a Sebastian Nielsen for the idea) in the submission section of master.cf.
  3. We accept mail from the rest of the world on port 25 (smtp).
Currently in main.cf I have reject_unauth_destination as the only parameter of smtpd_relay_restrictions.

In master.cf I have had to add permit_sasl_authenticated, reject to the smtpd_relay_restrictions, this seems to be odd as I am using a more "restrictive" version of this in recipient_ restrictions. If I leave it blank/unset all mail on 587 gets rejected with "An error occurred while sending mail. The mail server responded:  5.7.1 [hidden email]: Recipient address rejected: Access denied.  Please check the message recipient [hidden email] and try again.

What would be a better set of  parameter for both main.cf and master.cf.


=======main.cf========
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4, ipv6
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
    bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 bl.spamcop.net
    dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
    list.dnswl.org=127.[0..255].[0..255].0*-2
    list.dnswl.org=127.[0..255].[0..255].1*-3
    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_helo_required = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_use_tls = $smtpd_use_tls
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS,
    kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
    reject_rbl_client zen.spamhaus.org, reject_rbl_client
    b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net,
    reject_rbl_client bl.ipv6.spameatingmonkey.net, reject_rbl_client
    dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = reject_multi_recipient_bounce,
    reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname, check_helo_access
    pcre:/etc/postfix/maps/helo_checks.pcre
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
    reject_unknown_recipient_domain, check_recipient_access
    pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
    hash:/etc/postfix/maps/recipient_checks, check_policy_service
    inet:127.0.0.1:10023
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = reject_non_fqdn_sender,
    reject_unknown_sender_domain, check_sender_access
    hash:/etc/postfix/maps/sender_checks
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
    proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
    proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp

=======main.cf========

smtp       inet  n       -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
    -o cleanup_service_name=pre-cleanup
pickup     fifo  n       -       n       60      1       pickup
    -o cleanup_service_name=pre-cleanup
submission inet  n       -       n       -       30      smtpd
    -o content_filter=smtp-amavis:[127.0.0.1]:10026
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/dovecot-auth
    -o smtpd_sasl_local_domain=$mydomain
    -o broken_sasl_auth_clients=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_etrn_restrictions=reject
    -o smtpd_helo_restrictions=
    -o {smtpd_recipient_restrictions=check_sender_access hash:/etc/postfix/maps/submission_access}
    -o {smtpd_relay_restrictions=permit_sasl_authenticated, reject}
    -o smtpd_sender_restrictions=
    -o smtpd_client_connection_count_limit=15
    -o smtpd_client_connection_rate_limit=80
    -o smtpd_delay_reject=yes
    -o cleanup_service_name=pre-cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
    -o smtp_bind_address=74.116.186.178
    -o smtp_bind_address6=2606:6d00:100:4301::1:200
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
smtp-amavis unix -       -       n       -       4       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o content_filter=
    -o mynetworks=127.0.0.0/8
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_relay_restrictions=permit_mynetworks,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o smtpd_tls_security_level=none
    -o local_recipient_maps=
    -o relay_recipient_maps=
pre-cleanup unix n       -       n       -       0       cleanup
    -o virtual_alias_maps=
cleanup    unix  n       -       n       -       0       cleanup
    -o mime_header_checks=
    -o nested_header_checks=
    -o header_checks=
    -o body_checks=
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy








Reply | Threaded
Open this post in threaded view
|

Re: smtp_relay_restrictions

Noel Jones-2
In reply to this post by John Allen
On 4/7/2016 7:44 AM, John Allen wrote:

> I am trying to work out what parameters to add to
> /smtpd_relay_restrictions, /both in main.cf and master.cf.
>
>  1. We do not allow relaying by any means!
>  2. In-house users must be registered, use our domains and port 587
>     (submission) to send.
>     I use /check_sender_access/ with a table in the form
>     "example.com  permit_sasl_authenticated, reject" to enforce
>     these rules (thanks to a Sebastian Nielsen for the idea) in the
>     submission section of master.cf.
>  3. We accept mail from the rest of the world on port 25 (smtp).
>
> Currently in main.cf I have reject_unauth_destination as the only
> parameter of smtpd_relay_restrictions.
>
> In master.cf I have had to add permit_sasl_authenticated, reject to
> the smtpd_relay_restrictions, this seems to be odd as I am using a
> more "restrictive" version of this in recipient_ restrictions. If I
> leave it blank/unset all mail on 587 gets rejected with "*/An error
> occurred while sending mail. The mail server responded:  /**/5.7.1
> <[hidden email]>: Recipient address rejected: Access denied.
> /**/Please check the message recipient "[hidden email]" and try again.
>
> /*What would be a*//*/better/ set of  parameter for both main.cf and
> master.cf.

The postfix built-in open relay check can't see inside your
check_sender_access map, so it complains about missing relay
protection.

Adding a ,reject to the end of your smtpd_recipient_restrictions
should allow you to use an empty smtpd_relay_restrictions.  This
will also insure that clients not using your domain as sender will
be rejected.

    -o {smtpd_recipient_restrictions=check_sender_access
hash:/etc/postfix/maps/submission_access, reject}
    -o smtpd_relay_restrictions=




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: smtp_relay_restrictions

John Allen
On 2016-04-07 2:47 PM, Noel Jones wrote:

> On 4/7/2016 7:44 AM, John Allen wrote:
>> I am trying to work out what parameters to add to
>> /smtpd_relay_restrictions, /both in main.cf and master.cf.
>>
>>   1. We do not allow relaying by any means!
>>   2. In-house users must be registered, use our domains and port 587
>>      (submission) to send.
>>      I use /check_sender_access/ with a table in the form
>>      "example.com  permit_sasl_authenticated, reject" to enforce
>>      these rules (thanks to a Sebastian Nielsen for the idea) in the
>>      submission section of master.cf.
>>   3. We accept mail from the rest of the world on port 25 (smtp).
>>
>> Currently in main.cf I have reject_unauth_destination as the only
>> parameter of smtpd_relay_restrictions.
>>
>> In master.cf I have had to add permit_sasl_authenticated, reject to
>> the smtpd_relay_restrictions, this seems to be odd as I am using a
>> more "restrictive" version of this in recipient_ restrictions. If I
>> leave it blank/unset all mail on 587 gets rejected with "*/An error
>> occurred while sending mail. The mail server responded:  /**/5.7.1
>> <[hidden email]>: Recipient address rejected: Access denied.
>> /**/Please check the message recipient "[hidden email]" and try again.
>>
>> /*What would be a*//*/better/ set of  parameter for both main.cf and
>> master.cf.
> The postfix built-in open relay check can't see inside your
> check_sender_access map, so it complains about missing relay
> protection.
>
> Adding a ,reject to the end of your smtpd_recipient_restrictions
> should allow you to use an empty smtpd_relay_restrictions.  This
> will also insure that clients not using your domain as sender will
> be rejected.
>
>      -o {smtpd_recipient_restrictions=check_sender_access
> hash:/etc/postfix/maps/submission_access, reject}
>      -o smtpd_relay_restrictions=
>
It does not seem to be working as expected! To test this out I am using
the family's domain klam.ca and server imap/smtp.klam.ca.  I setup a
fake user 'harry' whose email address was [hidden email]. I set him up
on Thunderbird with imap/smtp.klam.biz. However, if I change Harry's
config under Thunderbird to use imap/smtp.klam.ca and try to send then I
get asked for Harry's  authentication.
I asked for a password in both cases, this seems a little odd as
klam.biz is not in the check_sender_access table and I thought that if
the domain was not in the lookup table then the email would be rejected
before authentication would be attempted.

What am I missing? What am I doing wrong? What don't I understand (re
Postfix, my wife tells me all the other things I don't understand)?



Reply | Threaded
Open this post in threaded view
|

SV: smtp_relay_restrictions

Sebastian Nielsen
No, authentication is always attempted.
So even if theres no permit_sasl_authenticated in the rules stack, you can still authenticate (if SASL is enabled) and gain "authenticated" rights, which would then be no more than "guest" rights.

So to correctly try out the tables, you would need to try to send out a mail with a "fake" MAIL FROM and a "real" MAIL FROM.
The "fake" MAIL FROM should get rejected even if you are authenticated.
The "real" MAIL FROM should get accepted if you are authenticated, else it should get rejected as well.

-----Ursprungligt meddelande-----
Från: [hidden email] [mailto:[hidden email]] För John Allen
Skickat: den 8 april 2016 21:27
Till: [hidden email]
Ämne: Re: smtp_relay_restrictions

On 2016-04-07 2:47 PM, Noel Jones wrote:

> On 4/7/2016 7:44 AM, John Allen wrote:
>> I am trying to work out what parameters to add to
>> /smtpd_relay_restrictions, /both in main.cf and master.cf.
>>
>>   1. We do not allow relaying by any means!
>>   2. In-house users must be registered, use our domains and port 587
>>      (submission) to send.
>>      I use /check_sender_access/ with a table in the form
>>      "example.com  permit_sasl_authenticated, reject" to enforce
>>      these rules (thanks to a Sebastian Nielsen for the idea) in the
>>      submission section of master.cf.
>>   3. We accept mail from the rest of the world on port 25 (smtp).
>>
>> Currently in main.cf I have reject_unauth_destination as the only
>> parameter of smtpd_relay_restrictions.
>>
>> In master.cf I have had to add permit_sasl_authenticated, reject to
>> the smtpd_relay_restrictions, this seems to be odd as I am using a
>> more "restrictive" version of this in recipient_ restrictions. If I
>> leave it blank/unset all mail on 587 gets rejected with "*/An error
>> occurred while sending mail. The mail server responded:  /**/5.7.1
>> <[hidden email]>: Recipient address rejected: Access denied.
>> /**/Please check the message recipient "[hidden email]" and try again.
>>
>> /*What would be a*//*/better/ set of  parameter for both main.cf and
>> master.cf.
> The postfix built-in open relay check can't see inside your
> check_sender_access map, so it complains about missing relay
> protection.
>
> Adding a ,reject to the end of your smtpd_recipient_restrictions
> should allow you to use an empty smtpd_relay_restrictions.  This will
> also insure that clients not using your domain as sender will be
> rejected.
>
>      -o {smtpd_recipient_restrictions=check_sender_access
> hash:/etc/postfix/maps/submission_access, reject}
>      -o smtpd_relay_restrictions=
>
It does not seem to be working as expected! To test this out I am using the family's domain klam.ca and server imap/smtp.klam.ca.  I setup a fake user 'harry' whose email address was [hidden email]. I set him up on Thunderbird with imap/smtp.klam.biz. However, if I change Harry's config under Thunderbird to use imap/smtp.klam.ca and try to send then I get asked for Harry's  authentication.
I asked for a password in both cases, this seems a little odd as klam.biz is not in the check_sender_access table and I thought that if the domain was not in the lookup table then the email would be rejected before authentication would be attempted.

What am I missing? What am I doing wrong? What don't I understand (re Postfix, my wife tells me all the other things I don't understand)?





smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

CLOSED - Re: SV: smtp_relay_restrictions

John Allen

Not quit what I was looking for. What I was hoping for was if example-x.com is not in the list of domains we accept email for quit, reject without further processing.

I think my problem is I am not thinking, or rather that "permit_sasl_authenticated" solves all problems!

Thanks for the input, after giving myself a swift kick - back to the drawing board.

On 2016-04-08 11:37 AM, Sebastian Nielsen wrote:
No, authentication is always attempted.
So even if theres no permit_sasl_authenticated in the rules stack, you can still authenticate (if SASL is enabled) and gain "authenticated" rights, which would then be no more than "guest" rights.

So to correctly try out the tables, you would need to try to send out a mail with a "fake" MAIL FROM and a "real" MAIL FROM.
The "fake" MAIL FROM should get rejected even if you are authenticated.
The "real" MAIL FROM should get accepted if you are authenticated, else it should get rejected as well.

-----Ursprungligt meddelande-----
Från: [hidden email] [[hidden email]] För John Allen
Skickat: den 8 april 2016 21:27
Till: [hidden email]
Ämne: Re: smtp_relay_restrictions

On 2016-04-07 2:47 PM, Noel Jones wrote:
On 4/7/2016 7:44 AM, John Allen wrote:
I am trying to work out what parameters to add to 
/smtpd_relay_restrictions, /both in main.cf and master.cf.

  1. We do not allow relaying by any means!
  2. In-house users must be registered, use our domains and port 587
     (submission) to send.
     I use /check_sender_access/ with a table in the form
     "example.com  permit_sasl_authenticated, reject" to enforce
     these rules (thanks to a Sebastian Nielsen for the idea) in the
     submission section of master.cf.
  3. We accept mail from the rest of the world on port 25 (smtp).

Currently in main.cf I have reject_unauth_destination as the only 
parameter of smtpd_relay_restrictions.

In master.cf I have had to add permit_sasl_authenticated, reject to 
the smtpd_relay_restrictions, this seems to be odd as I am using a 
more "restrictive" version of this in recipient_ restrictions. If I 
leave it blank/unset all mail on 587 gets rejected with "*/An error 
occurred while sending mail. The mail server responded:  /**/5.7.1
[hidden email]: Recipient address rejected: Access denied.
/**/Please check the message recipient [hidden email] and try again.

/*What would be a*//*/better/ set of  parameter for both main.cf and 
master.cf.
The postfix built-in open relay check can't see inside your 
check_sender_access map, so it complains about missing relay 
protection.

Adding a ,reject to the end of your smtpd_recipient_restrictions 
should allow you to use an empty smtpd_relay_restrictions.  This will 
also insure that clients not using your domain as sender will be 
rejected.

     -o {smtpd_recipient_restrictions=check_sender_access
hash:/etc/postfix/maps/submission_access, reject}
     -o smtpd_relay_restrictions=

It does not seem to be working as expected! To test this out I am using the family's domain klam.ca and server imap/smtp.klam.ca.  I setup a fake user 'harry' whose email address was [hidden email]. I set him up on Thunderbird with imap/smtp.klam.biz. However, if I change Harry's config under Thunderbird to use imap/smtp.klam.ca and try to send then I get asked for Harry's  authentication.
I asked for a password in both cases, this seems a little odd as klam.biz is not in the check_sender_access table and I thought that if the domain was not in the lookup table then the email would be rejected before authentication would be attempted.

What am I missing? What am I doing wrong? What don't I understand (re Postfix, my wife tells me all the other things I don't understand)?