Loading ...
Sorry, an error occurred while loading the content.

Postfix Restriction class not working properly

Expand Messages
  • ankush grover
    hey, I am trying to implement the Postfix restriction classes for one of the accounts in my network. There is an account called staff and the mail sent to this
    Message 1 of 8 , Aug 1, 2006
    • 0 Attachment
      hey,

      I am trying to implement the Postfix restriction classes for one of
      the accounts in my network. There is an account called staff and the
      mail sent to this address goes to all the
      employees in the organisation.

      I have configured main.cf as per the restriction class example

      smtpd_restriction_classes = insiders_only
      insiders_only = check_sender_access hash:/etc/postfix/sender_access, reject
      smtpd_recipient_restrictions = permit_mynetworks,
      permit_sasl_authenticated,
      check_recipient_access
      hash:/etc/postfix/recipient_access,
      reject_invalid_hostname,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      reject_unauth_destination,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client opm.blitzed.org,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client dul.dnsbl.sorbs.net,
      permit

      But still I am able to receive the mail from outside on this account
      from accounts list permitted to send mail to this account.

      recipient_access file
      staff@... insiders_only

      sender_access file

      example.com OK
      ankush@... OK
      ankush@... OK
      john@... OK

      Apart from my domain(example.com) some other email ids from which
      mails are allowed to be send to this account are added to the
      sender_access.

      I am using Postfix 2.1.5 on FC3 with MailScanner.

      Any pointer what can be the problem?

      Thanks & Regards

      Ankush Grover
    • Magnus Bäck
      On Tuesday, August 01, 2006 at 10:12 CEST, ... Show logs and complete postconf -n output. But anyway, wouldn t it be a better idea to rely on the client
      Message 2 of 8 , Aug 1, 2006
      • 0 Attachment
        On Tuesday, August 01, 2006 at 10:12 CEST,
        ankush grover <grover.pix@...> wrote:

        > I am trying to implement the Postfix restriction classes for one of
        > the accounts in my network. There is an account called staff and the
        > mail sent to this address goes to all the
        > employees in the organisation.
        >
        > I have configured main.cf as per the restriction class example
        >
        > smtpd_restriction_classes = insiders_only
        > insiders_only = check_sender_access hash:/etc/postfix/sender_access, reject
        > smtpd_recipient_restrictions = permit_mynetworks,
        > permit_sasl_authenticated,
        > check_recipient_access
        > hash:/etc/postfix/recipient_access,
        > reject_invalid_hostname,
        > reject_unknown_sender_domain,
        > reject_unknown_recipient_domain,
        > reject_unauth_destination,
        > reject_rbl_client relays.ordb.org,
        > reject_rbl_client opm.blitzed.org,
        > reject_rbl_client list.dsbl.org,
        > reject_rbl_client sbl.spamhaus.org,
        > reject_rbl_client cbl.abuseat.org,
        > reject_rbl_client dul.dnsbl.sorbs.net,
        > permit
        >
        > But still I am able to receive the mail from outside on this account
        > from accounts list permitted to send mail to this account.

        Show logs and complete "postconf -n" output.

        But anyway, wouldn't it be a better idea to rely on the client address
        and authentication rather than the easily spoofed sender address, like
        in the example in RESTRICTION_CLASS_README?

        [...]

        --
        Magnus Bäck
        magnus@...
      • ankush grover
        ... Hey, Thanks for the reply. Below are the logs file and the postcong -n output Logs Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
        Message 3 of 8 , Aug 1, 2006
        • 0 Attachment
          On 8/1/06, Magnus Bäck <magnus@...> wrote:
          > On Tuesday, August 01, 2006 at 10:12 CEST,
          > ankush grover <grover.pix@...> wrote:
          >
          > > I am trying to implement the Postfix restriction classes for one of
          > > the accounts in my network. There is an account called staff and the
          > > mail sent to this address goes to all the
          > > employees in the organisation.
          > >
          > > I have configured main.cf as per the restriction class example
          > >
          > > smtpd_restriction_classes = insiders_only
          > > insiders_only = check_sender_access hash:/etc/postfix/sender_access, reject
          > > smtpd_recipient_restrictions = permit_mynetworks,
          > > permit_sasl_authenticated,
          > > check_recipient_access
          > > hash:/etc/postfix/recipient_access,
          > > reject_invalid_hostname,
          > > reject_unknown_sender_domain,
          > > reject_unknown_recipient_domain,
          > > reject_unauth_destination,
          > > reject_rbl_client relays.ordb.org,
          > > reject_rbl_client opm.blitzed.org,
          > > reject_rbl_client list.dsbl.org,
          > > reject_rbl_client sbl.spamhaus.org,
          > > reject_rbl_client cbl.abuseat.org,
          > > reject_rbl_client dul.dnsbl.sorbs.net,
          > > permit
          > >
          > > But still I am able to receive the mail from outside on this account
          > > from accounts list permitted to send mail to this account.
          >
          > Show logs and complete "postconf -n" output.
          >
          > But anyway, wouldn't it be a better idea to rely on the client address
          > and authentication rather than the easily spoofed sender address, like
          > in the example in RESTRICTION_CLASS_README?
          >

          Hey,

          Thanks for the reply. Below are the logs file and the postcong -n output

          Logs

          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          Received: from localhost (localhost.localdomain [127.0.0.1])??by
          mail.sun.net (Postfix) with ESMTP id 0E3766FFE5??for
          <testing@...>; Tue, 1 Aug 2006 16:48:57 +0530 (IST) from
          localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
          to=<testing@...> proto=ESMTP helo=<localhost>
          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          Received: from mail.isp.com??by localhost with IMAP
          (fetchmail-6.2.5.5)??for testing@... (multi-drop); Tue, 01 Aug
          2006 16:48:57 +0530 (IST) from localhost.localdomain[127.0.0.1];
          from=<grover.pix@...> to=<testing@...> proto=ESMTP
          helo=<localhost>
          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          Received: from ug-out-1314.google.com (ug-out-1314.google.com
          [66.249.92.174])??by mail252.megamailservers.com
          (8.13.6.20060614/8.13.1) with ESMTP id k71Bb1aL003459??for
          <testing@... from localhost.localdomain[127.0.0.1];
          from=<grover.pix@...> to=<testing@...> proto=ESMTP
          helo=<localhost>
          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          Received: by ug-out-1314.google.com with SMTP id m3so1254036ugc?
          for <testing@...>; Tue, 01 Aug 2006 04:36:59 -0700 (PDT) from
          localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
          to=<testing@...> proto=ESMTP helo=<localhost>
          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          Received: by 10.66.221.19 with SMTP id t19mr749382ugg;? Tue, 01
          Aug 2006 04:36:58 -0700 (PDT) from localhost.localdomain[127.0.0.1];
          from=<grover.pix@...> to=<testing@...> proto=ESMTP
          helo=<localhost>
          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
          Received: by 10.66.225.3 with HTTP; Tue, 1 Aug 2006 04:36:58 -0700
          (PDT) from localhost.localdomain[127.0.0.1];
          from=<grover.pix@...> to=<testing@...> proto=ESMTP
          helo=<localhost>
          Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5:
          message-id=<cf4061610608010436o28366aeaob24407c9f95eb3bb@...>
          Aug 1 16:48:57 mail MailScanner[30558]: New Batch: Scanning 1
          messages, 2194 bytes
          Aug 1 16:48:58 mail postfix/smtpd[4863]: disconnect from
          localhost.localdomain[127.0.0.1]
          Aug 1 16:49:04 mail MailScanner[30558]: Virus and Content Scanning: Starting
          Aug 1 16:49:04 mail MailScanner[30558]: Requeue: 0E3766FFE5.381FC to 647537000E
          Aug 1 16:49:04 mail MailScanner[30558]: Uninfected: Delivered 1 messages
          Aug 1 16:49:04 mail MailScanner[30558]: Logging message 0E3766FFE5.381FC to SQL
          Aug 1 16:49:04 mail postfix/qmgr[30525]: 647537000E:
          from=<grover.pix@...>, size=1927, nrcpt=2 (queue active)
          Aug 1 16:49:04 mail MailScanner[30517]: 0E3766FFE5.381FC: Logged to
          MailWatch SQL
          Aug 1 16:49:04 mail postfix/local[4871]: 647537000E:
          to=<ankush@...>, orig_to=<testing@...>, relay=local,
          delay=7, status=sent (delivered to maildir)
          Aug 1 16:49:04 mail postfix/local[4870]: 647537000E:
          to=<agrover@...>, orig_to=<testing@...>, relay=local,
          delay=7, status=sent (delivered to maildir)
          Aug 1 16:49:04 mail postfix/qmgr[30525]: 647537000E: removed



          testing@... is an alias(no mailbox just alias) and the mails
          for the testing@... goes to ankush@... and
          agrover@.... Entry for the testing@... is defined in
          virtual file(/etc/postfix/virtual)



          postconf -n

          alias_database = hash:/etc/aliases
          alias_maps = hash:/etc/aliases
          broken_sasl_auth_clients = yes
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          daemon_directory = /usr/libexec/postfix
          debug_peer_level = 2
          default_destination_concurrency_limit = 20
          fast_flush_domains = $relay_domains
          header_checks = regexp:/etc/postfix/header_checks
          home_mailbox = Maildir/
          html_directory = no
          in_flow_delay = 1s
          inet_interfaces = all
          local_destination_concurrency_limit = 2
          mail_owner = postfix
          mailq_path = /usr/bin/mailq.postfix
          manpage_directory = /usr/share/man
          masquerade_domains = sun.net
          message_size_limit = 51200000
          mime_header_checks = regexp:/etc/postfix/mime_header_checks
          mydestination = $myhostname, localhost.$mydomain, $mydomain
          myhostname = mail.sun.net
          mynetworks = 192.168.5.0/24, 127.0.0.0/8
          mynetworks_style = subnet
          myorigin = $mydomain
          newaliases_path = /usr/bin/newaliases.postfix
          queue_directory = /var/spool/postfix
          readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
          recipient_delimiter = +
          relayhost = mail.isp.com
          sample_directory = /usr/share/doc/postfix-2.1.5/samples
          sendmail_path = /usr/sbin/sendmail.postfix
          setgid_group = postdrop
          smtp_sasl_auth_enable = yes
          smtp_sasl_password_maps = hash:/etc/postfix/passwd
          smtp_sasl_security_options = noanonymous
          smtp_use_tls = yes
          smtpd_recipient_restrictions = permit_mynetworks,
          permit_sasl_authenticated, check_recipient_access
          hash:/etc/postfix/recipient_access,
          reject_invalid_hostname, reject_unknown_sender_domain,
          reject_unknown_recipient_domain, reject_unauth_destination,
          reject_rbl_client relays.ordb.org,
          reject_rbl_client opm.blitzed.org,
          reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
          reject_rbl_client cbl.abuseat.org,
          reject_rbl_client dul.dnsbl.sorbs.net,
          permit
          smtpd_restriction_classes = insiders_only
          smtpd_sender_restrictions = permit_mynetworks,
          permit_sasl_authenticated, reject_unknown_sender_domain,
          reject_rbl_client relays.ordb.org, reject_rbl_client
          opm.blitzed.org, reject_rbl_client
          list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
          reject_rbl_client cbl.abuseat.org, reject_rbl_client
          dul.dsnbl.sorbs.net, permit
          smtpd_tls_CAfile = /etc/postfix/cacert.pem
          smtpd_tls_auth_only = yes
          smtpd_tls_cert_file = /etc/postfix/newcert.pem
          smtpd_tls_key_file = /etc/postfix/newreq.pem
          smtpd_tls_loglevel = 1
          smtpd_tls_received_header = yes
          smtpd_tls_session_cache_timeout = 3600s
          smtpd_use_tls = yes
          tls_random_source = dev:/dev/urandom
          unknown_local_recipient_reject_code = 550

          Thanks & Regards

          Ankush Grover
        • Magnus Bäck
          On Tuesday, August 01, 2006 at 13:51 CEST, ankush grover wrote: [...] ... You missed a couple of log entries from smtpd(8) at the start
          Message 4 of 8 , Aug 1, 2006
          • 0 Attachment
            On Tuesday, August 01, 2006 at 13:51 CEST,
            ankush grover <grover.pix@...> wrote:

            [...]

            > Aug 1 16:48:58 mail postfix/smtpd[4863]: disconnect from
            > localhost.localdomain[127.0.0.1]

            You missed a couple of log entries from smtpd(8) at the start of the
            log, but this line shows anyway that the client was localhost. The
            loopback interface is listed in mynetworks, so your permit_mynetworks
            bypasses your restrictions.

            [...]

            --
            Magnus Bäck
            magnus@...
          • ankush grover
            ... Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header Received: from localhost (localhost.localdomain [127.0.0.1])??by mail.sun.net
            Message 5 of 8 , Aug 1, 2006
            • 0 Attachment
              On 8/2/06, Magnus Bäck <magnus@...> wrote:

              >
              > You missed a couple of log entries from smtpd(8) at the start of the
              > log, but this line shows anyway that the client was localhost. The
              > loopback interface is listed in mynetworks, so your permit_mynetworks
              > bypasses your restrictions.
              >

              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
              Received: from localhost (localhost.localdomain [127.0.0.1])??by
              mail.sun.net (Postfix) with ESMTP id 0E3766FFE5??for
              <testing@...>; Tue, 1 Aug 2006 16:48:57 +0530 (IST) from
              localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
              to=<testing@...> proto=ESMTP helo=<localhost>


              You can see the mail is coming from grover.pix@... and this
              address is not listed in sender_access.

              recipient_access file
              testing@... insiders_only

              sender_access file

              example.com OK
              ankush@... OK
              ankush@... OK
              john@... OK

              grover.pix@... is not listed in the users who are authorized to
              send the mail to testing@...

              I am downloading the mails through fetchmail from my ISP account and
              redistributing to my internal users.


              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
              Received: from mail.isp.com??by localhost with IMAP
              (fetchmail-6.2.5.5)??for testing@... (multi-drop); Tue, 01 Aug
              2006 16:48:57 +0530 (IST) from localhost.localdomain[127.0.0.1];
              from=<grover.pix@...> to=<testing@...> proto=ESMTP
              helo=<localhost>

              You can see fetchmail has downloaded the mail and the mail is from the
              grover.pix@... is for testing@... and it is a
              multidrop(catchall) account.


              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
              Received: from ug-out-1314.google.com (ug-out-1314.google.com
              [66.249.92.174])??by mail252.megamailservers.com
              (8.13.6.20060614/8.13.1) with ESMTP id k71Bb1aL003459??for
              <testing@... from localhost.localdomain[127.0.0.1];
              from=<grover.pix@...> to=<testing@...> proto=ESMTP
              helo=<localhost>


              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
              Received: by ug-out-1314.google.com with SMTP id m3so1254036ugc?
              for <testing@...>; Tue, 01 Aug 2006 04:36:59 -0700 (PDT) from
              localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
              to=<testing@...> proto=ESMTP helo=<localhost>
              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
              Received: by 10.66.221.19 with SMTP id t19mr749382ugg;?
              Tue, 01 Aug 2006 04:36:58 -0700 (PDT) from localhost.localdomain[127.0.0.1];
              from=<grover.pix@...> to=<testing@...> proto=ESMTP
              helo=<localhost>
              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
              Received: by 10.66.225.3 with HTTP; Tue, 1 Aug 2006 04:36:58 -0700
              (PDT) from localhost.localdomain[127.0.0.1];
              from=<grover.pix@...> to=<testing@...> proto=ESMTP
              helo=<localhost>
              Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5:
              message-id=<cf4061610608010436o28366aeaob24407c9f95eb3bb@...>
              Aug 1 16:48:57 mail MailScanner[30558]: New Batch: Scanning 1
              messages, 2194 bytes
              Aug 1 16:48:58 mail postfix/smtpd[4863]: disconnect from
              localhost.localdomain[127.0.0.1]
              Aug 1 16:49:04 mail MailScanner[30558]: Virus and Content Scanning: Starting
              Aug 1 16:49:04 mail MailScanner[30558]: Requeue: 0E3766FFE5.381FC to 647537000E
              Aug 1 16:49:04 mail MailScanner[30558I hope I am clear this time ]:
              Uninfected: Delivered 1 messages
              Aug 1 16:49:04 mail MailScanner[30558]: Logging message 0E3766FFE5.381FC to SQL
              Aug 1 16:49:04 mail postfix/qmgr[30525]: 647537000E:
              from=<grover.pix@...>, size=1927, nrcpt=2 (queue active)
              Aug 1 16:49:04 mail MailScanner[30517]: 0E3766FFE5.381FC: Logged to
              MailWatch SQL
              Aug 1 16:49:04 mail postfix/local[4871]: 647537000E:
              to=<ankush@...>, orig_to=<testing@...>, relay=local,
              delay=7, status=sent (delivered to maildir)
              Aug 1 16:49:04 mail postfix/local[4870]: 647537000E:
              to=<agrover@...>, orig_to=<testing@...>, relay=local,
              delay=7, status=sent (delivered to maildir)
              Aug 1 16:49:04 mail postfix/qmgr[30525]: 647537000E: removed

              The mail for testing@... is redirected to 2 users

              Entries for these users is defined in virtual file (/etc/postfix/virtual)

              testing@... ankush agrover (local users)

              What else should I post?

              Thanks & Regards

              Ankush Grover
            • Magnus Bäck
              On Wednesday, August 02, 2006 at 07:05 CEST, ... I repeat: The messages are coming from a host in mynetworks, and your permit_mynetworks restriction will
              Message 6 of 8 , Aug 2, 2006
              • 0 Attachment
                On Wednesday, August 02, 2006 at 07:05 CEST,
                ankush grover <grover.pix@...> wrote:

                > On 8/2/06, Magnus Bäck <magnus@...> wrote:
                >
                > > You missed a couple of log entries from smtpd(8) at the start
                > > of the log, but this line shows anyway that the client was
                > > localhost. The loopback interface is listed in mynetworks,
                > > so your permit_mynetworks bypasses your restrictions.
                >
                > Aug 1 16:48:57 mail postfix/cleanup[4864]: 0E3766FFE5: hold: header
                > Received: from localhost (localhost.localdomain [127.0.0.1])??by
                > mail.sun.net (Postfix) with ESMTP id 0E3766FFE5??for
                > <testing@...>; Tue, 1 Aug 2006 16:48:57 +0530 (IST) from
                > localhost.localdomain[127.0.0.1]; from=<grover.pix@...>
                > to=<testing@...> proto=ESMTP helo=<localhost>
                >
                > You can see the mail is coming from grover.pix@... and this
                > address is not listed in sender_access.

                I repeat: The messages are coming from a host in mynetworks, and your
                permit_mynetworks restriction will bypass your check_recipient_access
                restriction. Move check_recipient_access above permit_mynetworks and
                your problem will be solved.

                (You are still not posting all log entries for the message, but never
                mind.)

                [...]

                --
                Magnus Bäck
                magnus@...
              • ankush grover
                ... Okay I got it. ... I moved the check_recipient_access above the permit_mynetworks and it worked. ... I posted all the logs generated by the mail
                Message 7 of 8 , Aug 2, 2006
                • 0 Attachment
                  > > You can see the mail is coming from grover.pix@... and this
                  > > address is not listed in sender_access.

                  Okay I got it.

                  > I repeat: The messages are coming from a host in mynetworks, and your
                  > permit_mynetworks restriction will bypass your check_recipient_access
                  > restriction. Move check_recipient_access above permit_mynetworks and
                  > your problem will be solved.

                  I moved the check_recipient_access above the permit_mynetworks and it worked.


                  > (You are still not posting all log entries for the message, but never
                  > mind.)

                  I posted all the logs generated by the mail (/var/log/maillog) .

                  You earlier mentioned this
                  But anyway, wouldn't it be a better idea to rely on the client address
                  and authentication rather than the easily spoofed sender address, like
                  in the example in RESTRICTION_CLASS_README?

                  I agree but if the sender is not from my domain for example an email
                  id from gmail or from yahoo these people are not going to authenticate
                  to my server but still I am interested in the above can you guide me a
                  little.

                  Thanks & Regards

                  Ankush Grover
                • Magnus Bäck
                  On Wednesday, August 02, 2006 at 13:16 CEST, ankush grover wrote: [...] ... No, you did not. You will have entries like these: Aug 2
                  Message 8 of 8 , Aug 2, 2006
                  • 0 Attachment
                    On Wednesday, August 02, 2006 at 13:16 CEST,
                    ankush grover <grover.pix@...> wrote:

                    [...]

                    > I posted all the logs generated by the mail (/var/log/maillog) .

                    No, you did not. You will have entries like these:

                    Aug 2 13:23:38 jeeves postfix/smtpd[12813]: connect from localhost[127.0.0.1]
                    Aug 2 13:23:38 jeeves postfix/smtpd[12813]: EBCF23C2C: client=localhost[127.0.0.1]

                    > You earlier mentioned this
                    > But anyway, wouldn't it be a better idea to rely on the client address
                    > and authentication rather than the easily spoofed sender address, like
                    > in the example in RESTRICTION_CLASS_README?
                    >
                    > I agree but if the sender is not from my domain for example an email
                    > id from gmail or from yahoo these people are not going to authenticate
                    > to my server but still I am interested in the above can you guide me a
                    > little.

                    They can connect directly to your server, assuming they are using an
                    SMTP-capable client. This may or may not be feasible, but as I said
                    sender addresses can easily be spoofed so your solution is by no means
                    secure.

                    --
                    Magnus Bäck
                    magnus@...
                  Your message has been successfully submitted and would be delivered to recipients shortly.