Loading ...
Sorry, an error occurred while loading the content.

Accept email only from local for specific addresses

Expand Messages
  • Claude Needham
    I would like to configure my postfix so that certain email addresses will only receive email from local (the machine itself). Other addresses will receive
    Message 1 of 8 , Jul 28, 2006
    • 0 Attachment
      I would like to configure my postfix so that certain email addresses
      will only receive email from local (the machine itself). Other
      addresses will receive email as usual.

      I am toying with setting the system so that email sent to root can
      only be from the local source. This way I can get reports from various
      processes without being exposed to spam directed to root@...

      Is this type of setup even possible?
      And, by the way, where can I find a reference guide that will tell me
      which addresses I can safely deny the world. I know abuse and
      postmaster must be open. But what about root or uucp, etc.?

      Thanks,
      Claude Needham
    • Sandy Drobic
      ... As long as postmaster and abuse are valid for external users it s okay. main.cf: mynetworks = 192.168.1.0/24, 127.0.0.1 smtpd_recipient_restrictions =
      Message 2 of 8 , Jul 28, 2006
      • 0 Attachment
        Claude Needham wrote:
        > I would like to configure my postfix so that certain email addresses
        > will only receive email from local (the machine itself). Other
        > addresses will receive email as usual.
        >
        > I am toying with setting the system so that email sent to root can
        > only be from the local source. This way I can get reports from various
        > processes without being exposed to spam directed to root@...
        >
        > Is this type of setup even possible?
        > And, by the way, where can I find a reference guide that will tell me
        > which addresses I can safely deny the world. I know abuse and
        > postmaster must be open. But what about root or uucp, etc.?

        As long as postmaster and abuse are valid for external users it's okay.


        main.cf:
        mynetworks = 192.168.1.0/24, 127.0.0.1
        smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/internal_only
        ...


        /etc/postfix/internal_only
        root@... reject
        uucp@... reject


        With that configuration only clients from your internal network or the
        server itself will be able to send mail to root@....

        Sandy
      • Claude Needham
        ... This works great! I tested from external and internal. The external email was refused. But I could receive from one of the internal processes sending me
        Message 3 of 8 , Jul 28, 2006
        • 0 Attachment
          On 7/28/06, Sandy Drobic <postfix-users@...> wrote:
          > Claude Needham wrote:
          > > I would like to configure my postfix so that certain email addresses
          > > will only receive email from local (the machine itself). Other
          > > addresses will receive email as usual.

          > As long as postmaster and abuse are valid for external users it's okay.
          >
          >
          > main.cf:
          > mynetworks = 192.168.1.0/24, 127.0.0.1
          > smtpd_recipient_restrictions =
          > permit_mynetworks,
          > reject_unauth_destination
          > check_recipient_access hash:/etc/postfix/internal_only
          > ...
          >
          >
          > /etc/postfix/internal_only
          > root@... reject
          > uucp@... reject
          >
          >
          > With that configuration only clients from your internal network or the
          > server itself will be able to send mail to root@....
          >
          > Sandy

          This works great!

          I tested from external and internal.
          The external email was refused.
          But I could receive from one of the internal processes sending me
          email on the machine.

          I checked around at sample main.cf files I could find on line.
          They all seemed to ahve the check_recipient_access after reject_rbl_client.
          I am assuming this is correct.

          smtpd_recipient_restrictions =
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_unauth_destination,
          reject_rbl_client relays.ordb.org,
          reject_rbl_client list.dsbl.org,
          reject_rbl_client sbl-xbl.spamhaus.org,
          check_recipient_access hash:/etc/postfix/internal_only

          By the way, do I need to run a postfix reload after updating the
          internal_only hash?

          Claude Needham
          p.s. thanks again to this list for great help.
        • Magnus Bäck
          On Saturday, July 29, 2006 at 00:51 CEST, Claude Needham wrote: [...] ... No. http://www.postfix.org/DATABASE_README.html#detect -- Magnus
          Message 4 of 8 , Jul 29, 2006
          • 0 Attachment
            On Saturday, July 29, 2006 at 00:51 CEST,
            Claude Needham <gxxaxx@...> wrote:

            [...]

            > By the way, do I need to run a postfix reload after updating the
            > internal_only hash?

            No.

            http://www.postfix.org/DATABASE_README.html#detect

            --
            Magnus Bäck
            magnus@...
          • Sandy Drobic
            ... Why would you check three external dns blacklists when you know that the recipient address will be rejected? In this case it makes sense to put it right
            Message 5 of 8 , Jul 29, 2006
            • 0 Attachment
              Claude Needham wrote:
              > On 7/28/06, Sandy Drobic <postfix-users@...> wrote:

              >>
              >> main.cf:
              >> mynetworks = 192.168.1.0/24, 127.0.0.1
              >> smtpd_recipient_restrictions =
              >> permit_mynetworks,
              >> reject_unauth_destination
              >> check_recipient_access hash:/etc/postfix/internal_only
              >> ...

              > I checked around at sample main.cf files I could find on line.
              > They all seemed to ahve the check_recipient_access after reject_rbl_client.
              > I am assuming this is correct.
              >
              > smtpd_recipient_restrictions =
              > permit_sasl_authenticated,
              > permit_mynetworks,
              > reject_unauth_destination,
              > reject_rbl_client relays.ordb.org,
              > reject_rbl_client list.dsbl.org,
              > reject_rbl_client sbl-xbl.spamhaus.org,
              > check_recipient_access hash:/etc/postfix/internal_only

              Why would you check three external dns blacklists when you know that the
              recipient address will be rejected? In this case it makes sense to put it
              right behind reject_unauth_destination. Though, if your server is not
              terribly busy, it won't make a noticable difference.

              Sandy
            • Claude Needham
              ... My first impulse was to put the check_recipient_access right after reject_unauth_destination as you suggest. But then I noticed several sample main.cf
              Message 6 of 8 , Jul 29, 2006
              • 0 Attachment
                On 7/29/06, Sandy Drobic <postfix-users@...> wrote:
                > > smtpd_recipient_restrictions =
                > > permit_sasl_authenticated,
                > > permit_mynetworks,
                > > reject_unauth_destination,
                > > reject_rbl_client relays.ordb.org,
                > > reject_rbl_client list.dsbl.org,
                > > reject_rbl_client sbl-xbl.spamhaus.org,
                > > check_recipient_access hash:/etc/postfix/internal_only
                >
                > Why would you check three external dns blacklists when you know that the
                > recipient address will be rejected? In this case it makes sense to put it
                > right behind reject_unauth_destination. Though, if your server is not
                > terribly busy, it won't make a noticable difference.
                >
                > Sandy

                My first impulse was to put the check_recipient_access right after
                reject_unauth_destination as you suggest. But then I noticed several
                sample main.cf files on the web had it this way.

                The ratio of blacklisted email to check_recipient_access rejected
                emails is probably 1000:1 So. I would have blacklisted emails passing
                through the check_recipient_access if I put the
                check_recipient_access under the reject_unauth_destination.

                Logically it makes more sense to put:

                reject_unauth_destination,
                check_recipient_access hash:/etc/postfix/internal_only
                reject_rbl_client relays.ordb.org,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client sbl-xbl.spamhaus.org,

                But I have no clue how much overhead the check_recipient_access is.
                And since all of the blacklisted stuff will be passing through this, I
                just don't know.

                Claude
              • Magnus Bäck
                On Saturday, July 29, 2006 at 18:01 CEST, Claude Needham wrote: [...] ... check_recipient_access has a significantly lower overhead than
                Message 7 of 8 , Jul 29, 2006
                • 0 Attachment
                  On Saturday, July 29, 2006 at 18:01 CEST,
                  Claude Needham <gxxaxx@...> wrote:

                  [...]

                  > Logically it makes more sense to put:
                  >
                  > reject_unauth_destination,
                  > check_recipient_access hash:/etc/postfix/internal_only
                  > reject_rbl_client relays.ordb.org,
                  > reject_rbl_client list.dsbl.org,
                  > reject_rbl_client sbl-xbl.spamhaus.org,
                  >
                  > But I have no clue how much overhead the check_recipient_access is.
                  > And since all of the blacklisted stuff will be passing through this, I
                  > just don't know.

                  check_recipient_access has a significantly lower overhead than DNSBL
                  lookups (at least with hash maps), so it would be a good idea to put
                  it first. On the other hand, there will be very few cases where
                  check_recipient_access results in a reject so in reality it doesn't
                  matter.

                  --
                  Magnus Bäck
                  magnus@...
                • Sandy Drobic
                  ... As Magnus said, practically the only case where the order would matter, is, when that address is heavily under attack by a spam or backscatter storm.
                  Message 8 of 8 , Jul 29, 2006
                  • 0 Attachment
                    Magnus Bäck wrote:
                    > On Saturday, July 29, 2006 at 18:01 CEST,
                    > Claude Needham <gxxaxx@...> wrote:
                    >
                    > [...]
                    >
                    >> Logically it makes more sense to put:
                    >>
                    >> reject_unauth_destination,
                    >> check_recipient_access hash:/etc/postfix/internal_only
                    >> reject_rbl_client relays.ordb.org,
                    >> reject_rbl_client list.dsbl.org,
                    >> reject_rbl_client sbl-xbl.spamhaus.org,
                    >>
                    >> But I have no clue how much overhead the check_recipient_access is.
                    >> And since all of the blacklisted stuff will be passing through this, I
                    >> just don't know.
                    >
                    > check_recipient_access has a significantly lower overhead than DNSBL
                    > lookups (at least with hash maps), so it would be a good idea to put
                    > it first. On the other hand, there will be very few cases where
                    > check_recipient_access results in a reject so in reality it doesn't
                    > matter.
                    >

                    As Magnus said, practically the only case where the order would matter,
                    is, when that address is heavily under attack by a spam or backscatter
                    storm. Otherwise you won't notice much difference.

                    Sandy
                  Your message has been successfully submitted and would be delivered to recipients shortly.