Loading ...
Sorry, an error occurred while loading the content.

Smtp policy

Expand Messages
  • Eduardo Kienetz
    ... From Wietse s answer I got to a partial solution: /etc/postfix/donotreceive with: myuser@domain.com DISCARD 550 Unknown user main.cf with:
    Message 1 of 22 , Feb 21, 2007
    • 0 Attachment
      On 12/26/06, Wietse Venema <wietse@...> wrote:
      > Eduardo Kienetz:
      > > On 12/26/06, Wietse Venema <wietse@...> wrote:
      > > > Eduardo Kienetz:
      > > > > Howdy y'all
      > > > >
      > > > > I need to allow selected users to be able to send only and not receive
      > > > > e-mails.
      > > >
      > > > Email is not a one-way system. If some users can send mail, then
      > > > Postfix must be able to receive delivery status notifications for
      > > > those users. If you're concerned that kids receive inappropriate
      > > > email, use a virtual or local alias to direct mail to an adult who
      > > > can censor it.
      > >
      > > It's a company, who doesn't need a user to be able to received
      > > messages (have conversations), just to send out e-mails.
      > > 'Oh, send that nice .ABC file to my e-mail'
      > > We already remove many attachments (anomy sanitizer), but this is not
      > > the case, we just don't want to spend any resources on mail that
      > > shouldn't be processed at all.
      > >
      > > Anyway, thanks, I'll find some way around then.
      >
      > In that case use "discard" to censor the mail.
      >
      > Wietse

      From Wietse's answer I got to a partial solution:

      /etc/postfix/donotreceive with:
      myuser@... DISCARD 550 Unknown user

      main.cf with:
      smtpd_recipient_restrictions =
      check_recipient_access hash:/etc/postfix/donotreceive,
      permit_mynetworks, etc...

      The problem is that I need an exception: I need the user to be able
      receive mail only from people from his domain (other local users).
      Could I create some previous rule that would allow receive such
      e-mails (*@...)?

      Thank you in advance,

      --
      Eduardo Bacchi Kienetz
      LPI Certified - Level 2
      http://www.noticiaslinux.com.br/eduardo/
    • Noel Jones
      ... put permit_mynetworks above your check_recipient_access map. -- Noel Jones
      Message 2 of 22 , Feb 21, 2007
      • 0 Attachment
        At 11:09 AM 2/21/2007, Eduardo Kienetz wrote:
        >On 12/26/06, Wietse Venema <wietse@...> wrote:
        >>Eduardo Kienetz:
        >> > On 12/26/06, Wietse Venema <wietse@...> wrote:
        >> > > Eduardo Kienetz:
        >> > > > Howdy y'all
        >> > > >
        >> > > > I need to allow selected users to be able to send only and not receive
        >> > > > e-mails.
        >> > >
        >> > > Email is not a one-way system. If some users can send mail, then
        >> > > Postfix must be able to receive delivery status notifications for
        >> > > those users. If you're concerned that kids receive inappropriate
        >> > > email, use a virtual or local alias to direct mail to an adult who
        >> > > can censor it.
        >> >
        >> > It's a company, who doesn't need a user to be able to received
        >> > messages (have conversations), just to send out e-mails.
        >> > 'Oh, send that nice .ABC file to my e-mail'
        >> > We already remove many attachments (anomy sanitizer), but this is not
        >> > the case, we just don't want to spend any resources on mail that
        >> > shouldn't be processed at all.
        >> >
        >> > Anyway, thanks, I'll find some way around then.
        >>
        >>In that case use "discard" to censor the mail.
        >>
        >> Wietse
        >
        > From Wietse's answer I got to a partial solution:
        >
        >/etc/postfix/donotreceive with:
        >myuser@... DISCARD 550 Unknown user
        >
        >main.cf with:
        >smtpd_recipient_restrictions =
        > check_recipient_access hash:/etc/postfix/donotreceive,
        > permit_mynetworks, etc...
        >
        >The problem is that I need an exception: I need the user to be able
        >receive mail only from people from his domain (other local users).
        >Could I create some previous rule that would allow receive such
        >e-mails (*@...)?

        put permit_mynetworks above your check_recipient_access map.

        --
        Noel Jones
      • Eduardo Kienetz
        ... If I do that it receives mail from outside users too :( Any ideas? Thank you in advance, -- Eduardo Bacchi Kienetz
        Message 3 of 22 , Feb 21, 2007
        • 0 Attachment
          On 2/21/07, Noel Jones <njones@...> wrote:
          > At 11:09 AM 2/21/2007, Eduardo Kienetz wrote:
          > >On 12/26/06, Wietse Venema <wietse@...> wrote:
          > >>Eduardo Kienetz:
          > >> > On 12/26/06, Wietse Venema <wietse@...> wrote:
          > >> > > Eduardo Kienetz:
          > >> > > > Howdy y'all
          > >> > > >
          > >> > > > I need to allow selected users to be able to send only and not receive
          > >> > > > e-mails.
          > >> > >
          > >> > > Email is not a one-way system. If some users can send mail, then
          > >> > > Postfix must be able to receive delivery status notifications for
          > >> > > those users. If you're concerned that kids receive inappropriate
          > >> > > email, use a virtual or local alias to direct mail to an adult who
          > >> > > can censor it.
          > >> >
          > >> > It's a company, who doesn't need a user to be able to received
          > >> > messages (have conversations), just to send out e-mails.
          > >> > 'Oh, send that nice .ABC file to my e-mail'
          > >> > We already remove many attachments (anomy sanitizer), but this is not
          > >> > the case, we just don't want to spend any resources on mail that
          > >> > shouldn't be processed at all.
          > >> >
          > >> > Anyway, thanks, I'll find some way around then.
          > >>
          > >>In that case use "discard" to censor the mail.
          > >>
          > >> Wietse
          > >
          > > From Wietse's answer I got to a partial solution:
          > >
          > >/etc/postfix/donotreceive with:
          > >myuser@... DISCARD 550 Unknown user
          > >
          > >main.cf with:
          > >smtpd_recipient_restrictions =
          > > check_recipient_access hash:/etc/postfix/donotreceive,
          > > permit_mynetworks, etc...
          > >
          > >The problem is that I need an exception: I need the user to be able
          > >receive mail only from people from his domain (other local users).
          > >Could I create some previous rule that would allow receive such
          > >e-mails (*@...)?
          >
          > put permit_mynetworks above your check_recipient_access map.
          >
          > --
          > Noel Jones

          If I do that it receives mail from outside users too :(
          Any ideas?

          Thank you in advance,

          --
          Eduardo Bacchi Kienetz
          http://www.noticiaslinux.com.br/eduardo/
        • Noel Jones
          ... Outside users are allowed by permit_mynetworks?? You will need to set up a smtpd_restriction_classes that allows just the senders you want.
          Message 4 of 22 , Feb 21, 2007
          • 0 Attachment
            At 12:37 PM 2/21/2007, Eduardo Kienetz wrote:
            >>put permit_mynetworks above your check_recipient_access map.
            >>
            >>--
            >>Noel Jones
            >
            >If I do that it receives mail from outside users too :(
            >Any ideas?

            Outside users are allowed by permit_mynetworks??
            You will need to set up a smtpd_restriction_classes that allows just
            the senders you want.
            http://www.postfix.org/RESTRICTION_CLASS_README.html

            --
            Noel Jones
          • Eduardo Kienetz
            ... Here is my mynetworks: mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24, 200.xx.x12.x88/32, 2xx.3.1x6.xx And here is the full option:
            Message 5 of 22 , Feb 21, 2007
            • 0 Attachment
              On 2/21/07, Noel Jones <njones@...> wrote:
              > At 12:37 PM 2/21/2007, Eduardo Kienetz wrote:
              > >>put permit_mynetworks above your check_recipient_access map.
              > >>
              > >>--
              > >>Noel Jones
              > >
              > >If I do that it receives mail from outside users too :(
              > >Any ideas?
              >
              > Outside users are allowed by permit_mynetworks??
              > You will need to set up a smtpd_restriction_classes that allows just
              > the senders you want.
              > http://www.postfix.org/RESTRICTION_CLASS_README.html
              >
              > --
              > Noel Jones

              Here is my mynetworks:
              mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
              200.xx.x12.x88/32, 2xx.3.1x6.xx

              And here is the full option:

              smtpd_recipient_restrictions =
              permit_mynetworks,
              check_recipient_access mysql:/etc/postfix/mysql_check_recipients.cf,
              permit_sasl_authenticated,
              reject_unauth_destination,
              reject_unauth_pipelining,
              reject_invalid_hostname,
              check_relay_domains

              I tried sending an e-mail from gmail to my domain and here is the header:
              Return-Path: <myemail@...>
              X-Original-To: someuser@...
              Delivered-To: someuser@...
              Received: by wall.ourdomain.com.br (Postfix, from userid 1004)
              id B3D074C; Wed, 21 Feb 2007 16:37:24 -0300 (BRT)
              Received: from wr-out-0506.google.com (localhost [127.0.0.1])
              by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
              for <someuser@...>; Wed, 21 Feb 2007 16:37:23 -0300 (BRT)
              Received: from 64.233.184.228 ([64.233.184.228] helo=wr-out-0506.google.com)
              by ASSP; 21 Feb 2007 16:37:23 -0300
              Received: by wr-out-0506.google.com with SMTP id i30so2339273wra
              for <someuser@...>; Wed, 21 Feb 2007 10:35:10 -0800 (PST)
              DomainKey-Signature: a=rsa-sha1; c=nofws;
              d=gmail.com; s=beta;
              h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
              b=M7MNu1nP7EYZJrINX4Fov0JIrtbH/OtNM/ZCVvUcno0cobXmYenymCG/bMsuwbIWW0htPls8sZjmEocl1vLOkuqj0gAz0ET6AFlZnBXLE+YPq6TRxWfk5otUpAkYG4ddqhUIMC05FZWMveqrESXUJPOgQJrORJhiICwjWje+rD4=
              Received: by 10.114.25.3 with SMTP id 3mr22067way.1172082909673;
              Wed, 21 Feb 2007 10:35:09 -0800 (PST)
              Received: by 10.114.209.14 with HTTP; Wed, 21 Feb 2007 10:35:09 -0800 (PST)
              Message-ID: <3e7d042a0702211035x89f6660n4290f49928b04e2d@...>
              Date: Wed, 21 Feb 2007 16:35:09 -0200
              From: "Eduardo Kienetz" <myemail@...>
              To: "someuser@..." <someuser@...>
              Subject: gooooooo
              MIME-Version: 1.0
              Content-Type: text/plain; charset=ISO-8859-1; format=flowed
              Content-Transfer-Encoding: 7bit
              Content-Disposition: inline
              X-Assp-Spam-Prob: 0.00000
              X-Assp-Whitelisted: Yes
              X-Assp-Envelope-From: myemail@...
              X-Virus-Scanned: Secure Mail

              Do you see anything wrong?

              Best regards,

              --
              Eduardo Bacchi Kienetz
              http://www.noticiaslinux.com.br/eduardo/
            • Noel Jones
              ... Does postfix log all incoming connections as coming from localhost? ... Your ASSP is screwing up the connection information. Remove 127.0.0.0/8 from
              Message 6 of 22 , Feb 21, 2007
              • 0 Attachment
                At 01:50 PM 2/21/2007, Eduardo Kienetz wrote:

                >Here is my mynetworks:
                >mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
                >200.xx.x12.x88/32, 2xx.3.1x6.xx
                >...
                >Received: from wr-out-0506.google.com (localhost [127.0.0.1])
                > by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
                > for <someuser@...>; Wed, 21 Feb 2007 16:37:23 -0300 (BRT)

                Does postfix log all incoming connections as coming from localhost?

                Oh, I see:
                >Received: from 64.233.184.228 ([64.233.184.228] helo=wr-out-0506.google.com)
                > by ASSP; 21 Feb 2007 16:37:23 -0300

                Your ASSP is screwing up the connection information.
                Remove 127.0.0.0/8 from mynetworks.

                --
                Noel Jones
              • Eduardo Kienetz
                ... Indeed. ... That s it. ... Did it, but couldn t keep because webmail (squirrelmail) clients get relay access denied D: So I d probably have to use a
                Message 7 of 22 , Feb 21, 2007
                • 0 Attachment
                  On 2/21/07, Noel Jones <njones@...> wrote:
                  > At 01:50 PM 2/21/2007, Eduardo Kienetz wrote:
                  >
                  > >Here is my mynetworks:
                  > >mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
                  > >200.xx.x12.x88/32, 2xx.3.1x6.xx
                  > >...
                  > >Received: from wr-out-0506.google.com (localhost [127.0.0.1])
                  > > by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
                  > > for <someuser@...>; Wed, 21 Feb 2007 16:37:23 -0300 (BRT)
                  >
                  > Does postfix log all incoming connections as coming from localhost?

                  Indeed.

                  > Oh, I see:
                  > >Received: from 64.233.184.228 ([64.233.184.228] helo=wr-out-0506.google.com)
                  > > by ASSP; 21 Feb 2007 16:37:23 -0300
                  >
                  > Your ASSP is screwing up the connection information.

                  That's it.

                  > Remove 127.0.0.0/8 from mynetworks.

                  Did it, but couldn't keep because webmail (squirrelmail) clients get
                  relay access denied D:
                  So I'd probably have to use a restriction class so that the 'From:' is checked?

                  Thanks again,

                  --
                  Eduardo Bacchi Kienetz
                  LPI Certified - Level 2
                  http://www.noticiaslinux.com.br/eduardo/
                • Victor Duchovni
                  ... That makes you an open proxy. You must not lose the origin address, or must arrange for clients that are allowed to relay to reach a different (protected)
                  Message 8 of 22 , Feb 21, 2007
                  • 0 Attachment
                    On Wed, Feb 21, 2007 at 05:58:01PM -0300, Eduardo Kienetz wrote:

                    > On 2/21/07, Noel Jones <njones@...> wrote:
                    > >At 01:50 PM 2/21/2007, Eduardo Kienetz wrote:
                    > >
                    > >>Here is my mynetworks:
                    > >>mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
                    > >>200.xx.x12.x88/32, 2xx.3.1x6.xx
                    > >>...
                    > >>Received: from wr-out-0506.google.com (localhost [127.0.0.1])
                    > >> by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
                    > >> for <someuser@...>; Wed, 21 Feb 2007 16:37:23 -0300
                    > >(BRT)
                    > >
                    > >Does postfix log all incoming connections as coming from localhost?
                    >
                    > Indeed.
                    >
                    > >Oh, I see:
                    > >>Received: from 64.233.184.228 ([64.233.184.228]
                    > >helo=wr-out-0506.google.com)
                    > >> by ASSP; 21 Feb 2007 16:37:23 -0300
                    > >
                    > >Your ASSP is screwing up the connection information.
                    >
                    > That's it.
                    >
                    > >Remove 127.0.0.0/8 from mynetworks.
                    >
                    > Did it, but couldn't keep because webmail (squirrelmail) clients get
                    > relay access denied D:
                    > So I'd probably have to use a restriction class so that the 'From:' is
                    > checked?

                    That makes you an open proxy. You must not lose the origin address, or
                    must arrange for clients that are allowed to relay to reach a different
                    (protected) IP:port.

                    --
                    Viktor.

                    Disclaimer: off-list followups get on-list replies or get ignored.
                    Please do not ignore the "Reply-To" header.

                    To unsubscribe from the postfix-users list, visit
                    http://www.postfix.org/lists.html or click the link below:
                    <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                    If my response solves your problem, the best way to thank me is to not
                    send an "it worked, thanks" follow-up. If you must respond, please put
                    "It worked, thanks" in the "Subject" so I can delete these quickly.
                  • Noel Jones
                    ... Does ASSP do relay access checking? If not, you are an open relay. Also note that all postfix client-based controls such as check_client_access,
                    Message 9 of 22 , Feb 21, 2007
                    • 0 Attachment
                      At 02:58 PM 2/21/2007, Eduardo Kienetz wrote:
                      >>Your ASSP is screwing up the connection information.
                      >
                      >That's it.
                      >
                      >>Remove 127.0.0.0/8 from mynetworks.
                      >
                      >Did it, but couldn't keep because webmail (squirrelmail) clients get
                      >relay access denied D:
                      >So I'd probably have to use a restriction class so that the 'From:'
                      >is checked?

                      Does ASSP do relay access checking? If not, you are an open relay.
                      Also note that all postfix client-based controls such as
                      check_client_access, check_rbl_client, etc. will not work.

                      Seems to me the solution is to configure ASSP to submit to an
                      alternate port with a postfix listener configured with an empty
                      mynetworks. Something like:

                      # master.cf
                      # postfix listener for ASSP
                      # this is a copy of the smtp inet .... smtpd line
                      25025 smtp inet n - n - - smtpd
                      -o mynetworks=

                      Then configure ASSP to deliver to port 25025.

                      --
                      Noel Jones
                    • Eduardo Kienetz
                      ... Could you explain better what you mean by open proxy (giving example maybe) ? Thanks for your time. BTW, I have this and many servers running for years
                      Message 10 of 22 , Feb 21, 2007
                      • 0 Attachment
                        On 2/21/07, Victor Duchovni <Victor.Duchovni@...> wrote:
                        > On Wed, Feb 21, 2007 at 05:58:01PM -0300, Eduardo Kienetz wrote:
                        >
                        > > On 2/21/07, Noel Jones <njones@...> wrote:
                        > > >At 01:50 PM 2/21/2007, Eduardo Kienetz wrote:
                        > > >
                        > > >>Here is my mynetworks:
                        > > >>mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
                        > > >>200.xx.x12.x88/32, 2xx.3.1x6.xx
                        > > >>...
                        > > >>Received: from wr-out-0506.google.com (localhost [127.0.0.1])
                        > > >> by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
                        > > >> for <someuser@...>; Wed, 21 Feb 2007 16:37:23 -0300
                        > > >(BRT)
                        > > >
                        > > >Does postfix log all incoming connections as coming from localhost?
                        > >
                        > > Indeed.
                        > >
                        > > >Oh, I see:
                        > > >>Received: from 64.233.184.228 ([64.233.184.228]
                        > > >helo=wr-out-0506.google.com)
                        > > >> by ASSP; 21 Feb 2007 16:37:23 -0300
                        > > >
                        > > >Your ASSP is screwing up the connection information.
                        > >
                        > > That's it.
                        > >
                        > > >Remove 127.0.0.0/8 from mynetworks.
                        > >
                        > > Did it, but couldn't keep because webmail (squirrelmail) clients get
                        > > relay access denied D:
                        > > So I'd probably have to use a restriction class so that the 'From:' is
                        > > checked?
                        >
                        > That makes you an open proxy. You must not lose the origin address, or
                        > must arrange for clients that are allowed to relay to reach a different
                        > (protected) IP:port.
                        >
                        > --
                        > Viktor.

                        Could you explain better what you mean by 'open proxy' (giving example maybe) ?
                        Thanks for your time.

                        BTW, I have this and many servers running for years without problems.
                        I'm really interested.

                        --
                        Eduardo Bacchi Kienetz
                        http://www.noticiaslinux.com.br/eduardo/
                      • Eduardo Kienetz
                        ... Ah, that s what I thought when Viktor replied... Of course it does... thousands of users use ASSP and it is the best I ve seen/used ;) ... I do not use
                        Message 11 of 22 , Feb 21, 2007
                        • 0 Attachment
                          On 2/21/07, Noel Jones <njones@...> wrote:
                          > At 02:58 PM 2/21/2007, Eduardo Kienetz wrote:
                          > >>Your ASSP is screwing up the connection information.
                          > >
                          > >That's it.
                          > >
                          > >>Remove 127.0.0.0/8 from mynetworks.
                          > >
                          > >Did it, but couldn't keep because webmail (squirrelmail) clients get
                          > >relay access denied D:
                          > >So I'd probably have to use a restriction class so that the 'From:'
                          > >is checked?
                          >
                          > Does ASSP do relay access checking? If not, you are an open relay.

                          Ah, that's what I thought when Viktor replied...
                          Of course it does... thousands of users use ASSP and it is the best
                          I've seen/used ;)

                          > Also note that all postfix client-based controls such as
                          > check_client_access, check_rbl_client, etc. will not work.

                          I do not use those. Now it's clear to me anyway. Thanks.

                          > Seems to me the solution is to configure ASSP to submit to an
                          > alternate port with a postfix listener configured with an empty
                          > mynetworks. Something like:
                          >
                          > # master.cf
                          > # postfix listener for ASSP
                          > # this is a copy of the smtp inet .... smtpd line
                          > 25025 smtp inet n - n - - smtpd
                          > -o mynetworks=
                          >
                          > Then configure ASSP to deliver to port 25025

                          ASSP delivers to port 10025 already.
                          I already have in master.cf:
                          10025 inet n - n - - smtpd -o
                          content_filter=filter:

                          filter calls spamfilter.sh that runs anomy sanitizer to strip certain
                          attachments.

                          So, even after all this I still don't get how I could solve my problem
                          of allowing an user to receive mail only from local users (outside
                          users already blocked).

                          --
                          Eduardo Bacchi Kienetz
                          http://www.noticiaslinux.com.br/eduardo/
                        • Noel Jones
                          ... So add -o mynetworks= to that entry. -- Noel Jones
                          Message 12 of 22 , Feb 21, 2007
                          • 0 Attachment
                            At 03:21 PM 2/21/2007, Eduardo Kienetz wrote:
                            >ASSP delivers to port 10025 already.
                            >I already have in master.cf:
                            >10025 inet n - n - - smtpd -o
                            >content_filter=filter:

                            So add "-o mynetworks=" to that entry.

                            --
                            Noel Jones
                          • Victor Duchovni
                            ... What do you mean when you say it does access checks . Did you configure it with the list of domains for which it should accept mail? Does it understand
                            Message 13 of 22 , Feb 21, 2007
                            • 0 Attachment
                              On Wed, Feb 21, 2007 at 06:21:44PM -0300, Eduardo Kienetz wrote:

                              > >Does ASSP do relay access checking? If not, you are an open relay.
                              >
                              > Ah, that's what I thought when Viktor replied...
                              > Of course it does... thousands of users use ASSP and it is the best
                              > I've seen/used ;)

                              What do you mean when you say it does "access checks". Did you configure
                              it with the list of domains for which it should accept mail? Does it
                              understand <user%domain2@domain1>, <domain2!user@domain1>, and other
                              source route forms?

                              I would treat with great skepticism any claim that a proxy or other
                              general purpose security appliance understands all possible SMTP address
                              formats and can better protect an MTA than appropriate access rules on
                              the MTA itself.

                              Do NOT delegate Postfix relay checks to a front-end appliance that hides
                              the origin of client connections.

                              --
                              Viktor.

                              Disclaimer: off-list followups get on-list replies or get ignored.
                              Please do not ignore the "Reply-To" header.

                              To unsubscribe from the postfix-users list, visit
                              http://www.postfix.org/lists.html or click the link below:
                              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                              If my response solves your problem, the best way to thank me is to not
                              send an "it worked, thanks" follow-up. If you must respond, please put
                              "It worked, thanks" in the "Subject" so I can delete these quickly.
                            • Eduardo Kienetz
                              ... Validation to conform with RFC 822 you mean? Yes. ... I understand and agree fully. But ASSP listens on port 25 and filters spam before it gets to postfix.
                              Message 14 of 22 , Feb 21, 2007
                              • 0 Attachment
                                On 2/21/07, Victor Duchovni <Victor.Duchovni@...> wrote:
                                > On Wed, Feb 21, 2007 at 06:21:44PM -0300, Eduardo Kienetz wrote:
                                >
                                > > >Does ASSP do relay access checking? If not, you are an open relay.
                                > >
                                > > Ah, that's what I thought when Viktor replied...
                                > > Of course it does... thousands of users use ASSP and it is the best
                                > > I've seen/used ;)
                                >
                                > What do you mean when you say it does "access checks". Did you configure
                                > it with the list of domains for which it should accept mail? Does it
                                > understand <user%domain2@domain1>, <domain2!user@domain1>, and other
                                > source route forms?

                                Validation to conform with RFC 822 you mean? Yes.

                                > I would treat with great skepticism any claim that a proxy or other
                                > general purpose security appliance understands all possible SMTP address
                                > formats and can better protect an MTA than appropriate access rules on
                                > the MTA itself.

                                I understand and agree fully. But ASSP listens on port 25 and filters
                                spam before it gets to postfix. I believe most of its advantages would
                                be lost if I put it after postfix. And once it acts like a proxy,
                                there is no way I can change the local connection behaviour, since it
                                is really proxying the connection to postfix.

                                > Do NOT delegate Postfix relay checks to a front-end appliance that hides
                                > the origin of client connections.

                                Not they would like to, as far as I understood. What happens is that
                                it has to do the link between the client and postfix by using a local
                                connection.
                                Now, if I misunderstood that, please tell me.

                                I believe the only way to change this behaviour fully is putting
                                postfix on port 25, right?

                                Regards,

                                --
                                Eduardo Bacchi Kienetz
                                http://www.noticiaslinux.com.br/eduardo/
                              • Victor Duchovni
                                ... Not at all. Ensure that you are not being abused as an open relay by disallowing RCPT TO: addresses that would be delivered to remote users, rather than
                                Message 15 of 22 , Feb 21, 2007
                                • 0 Attachment
                                  On Wed, Feb 21, 2007 at 06:56:13PM -0300, Eduardo Kienetz wrote:

                                  > On 2/21/07, Victor Duchovni <Victor.Duchovni@...> wrote:
                                  > >On Wed, Feb 21, 2007 at 06:21:44PM -0300, Eduardo Kienetz wrote:
                                  > >
                                  > >> >Does ASSP do relay access checking? If not, you are an open relay.
                                  > >>
                                  > >> Ah, that's what I thought when Viktor replied...
                                  > >> Of course it does... thousands of users use ASSP and it is the best
                                  > >> I've seen/used ;)
                                  > >
                                  > >What do you mean when you say it does "access checks". Did you configure
                                  > >it with the list of domains for which it should accept mail? Does it
                                  > >understand <user%domain2@domain1>, <domain2!user@domain1>, and other
                                  > >source route forms?
                                  >
                                  > Validation to conform with RFC 822 you mean? Yes.

                                  Not at all. Ensure that you are not being abused as an open relay by
                                  disallowing RCPT TO: addresses that would be delivered to remote users,
                                  rather than users in your domain.

                                  > >I would treat with great skepticism any claim that a proxy or other
                                  > >general purpose security appliance understands all possible SMTP address
                                  > >formats and can better protect an MTA than appropriate access rules on
                                  > >the MTA itself.
                                  >
                                  > I understand and agree fully. But ASSP listens on port 25 and filters
                                  > spam before it gets to postfix. I believe most of its advantages would
                                  > be lost if I put it after postfix. And once it acts like a proxy,
                                  > there is no way I can change the local connection behaviour, since it
                                  > is really proxying the connection to postfix.
                                  >

                                  This has nothing to do with spam. And you can tell the proxy to forward
                                  to a dedicated IP/port that refuses all non-local addresses. Just don't
                                  forward to the same IP/port as local submission from authorized clients.

                                  --
                                  Viktor.

                                  Disclaimer: off-list followups get on-list replies or get ignored.
                                  Please do not ignore the "Reply-To" header.

                                  To unsubscribe from the postfix-users list, visit
                                  http://www.postfix.org/lists.html or click the link below:
                                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                  If my response solves your problem, the best way to thank me is to not
                                  send an "it worked, thanks" follow-up. If you must respond, please put
                                  "It worked, thanks" in the "Subject" so I can delete these quickly.
                                • Eduardo Kienetz
                                  ... It is not the case. Have already tested using telnet. -- Eduardo Bacchi Kienetz http://www.noticiaslinux.com.br/eduardo/
                                  Message 16 of 22 , Feb 28, 2007
                                  • 0 Attachment
                                    On 2/28/07, mouss <mlist.only@...> wrote:
                                    > if you allow relay based on the sender address, then you become an open
                                    > relay, because sender addresses may be forged.

                                    It is not the case. Have already tested using telnet.

                                    --
                                    Eduardo Bacchi Kienetz
                                    http://www.noticiaslinux.com.br/eduardo/
                                  • mouss
                                    ... if you allow relay based on the sender address, then you become an open relay, because sender addresses may be forged.
                                    Message 17 of 22 , Feb 28, 2007
                                    • 0 Attachment
                                      Eduardo Kienetz wrote:
                                      > On 2/21/07, Victor Duchovni <Victor.Duchovni@...> wrote:
                                      >> On Wed, Feb 21, 2007 at 05:58:01PM -0300, Eduardo Kienetz wrote:
                                      >>
                                      >> > On 2/21/07, Noel Jones <njones@...> wrote:
                                      >> > >At 01:50 PM 2/21/2007, Eduardo Kienetz wrote:
                                      >> > >
                                      >> > >>Here is my mynetworks:
                                      >> > >>mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
                                      >> > >>200.xx.x12.x88/32, 2xx.3.1x6.xx
                                      >> > >>...
                                      >> > >>Received: from wr-out-0506.google.com (localhost [127.0.0.1])
                                      >> > >> by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
                                      >> > >> for <someuser@...>; Wed, 21 Feb 2007 16:37:23
                                      >> -0300
                                      >> > >(BRT)
                                      >> > >
                                      >> > >Does postfix log all incoming connections as coming from localhost?
                                      >> >
                                      >> > Indeed.
                                      >> >
                                      >> > >Oh, I see:
                                      >> > >>Received: from 64.233.184.228 ([64.233.184.228]
                                      >> > >helo=wr-out-0506.google.com)
                                      >> > >> by ASSP; 21 Feb 2007 16:37:23 -0300
                                      >> > >
                                      >> > >Your ASSP is screwing up the connection information.
                                      >> >
                                      >> > That's it.
                                      >> >
                                      >> > >Remove 127.0.0.0/8 from mynetworks.
                                      >> >
                                      >> > Did it, but couldn't keep because webmail (squirrelmail) clients get
                                      >> > relay access denied D:
                                      >> > So I'd probably have to use a restriction class so that the 'From:' is
                                      >> > checked?
                                      >>
                                      >> That makes you an open proxy. You must not lose the origin address, or
                                      >> must arrange for clients that are allowed to relay to reach a different
                                      >> (protected) IP:port.
                                      >>
                                      >> --
                                      >> Viktor.
                                      >
                                      > Could you explain better what you mean by 'open proxy' (giving example
                                      > maybe) ?
                                      > Thanks for your time.
                                      >
                                      > BTW, I have this and many servers running for years without problems.
                                      > I'm really interested.
                                      >

                                      if you allow relay based on the sender address, then you become an open
                                      relay, because sender addresses may be forged.
                                    • Victor Duchovni
                                      ... Tests can t prove universal statements, they can only prove existential statements. Testable: - This test will succeed Not testable: - All future tests
                                      Message 18 of 22 , Feb 28, 2007
                                      • 0 Attachment
                                        On Wed, Feb 28, 2007 at 08:03:19PM -0300, Eduardo Kienetz wrote:

                                        > On 2/28/07, mouss <mlist.only@...> wrote:
                                        > >if you allow relay based on the sender address, then you become an open
                                        > >relay, because sender addresses may be forged.
                                        >
                                        > It is not the case. Have already tested using telnet.

                                        Tests can't prove universal statements, they can only prove existential
                                        statements.

                                        Testable:

                                        - This test will succeed

                                        Not testable:

                                        - All future tests will succeed

                                        Perhaps you should post your final configuraration and explain the choices
                                        you made and why you believe they are sound.

                                        --
                                        Viktor.

                                        Disclaimer: off-list followups get on-list replies or get ignored.
                                        Please do not ignore the "Reply-To" header.

                                        To unsubscribe from the postfix-users list, visit
                                        http://www.postfix.org/lists.html or click the link below:
                                        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                        If my response solves your problem, the best way to thank me is to not
                                        send an "it worked, thanks" follow-up. If you must respond, please put
                                        "It worked, thanks" in the "Subject" so I can delete these quickly.
                                      • Eduardo Kienetz
                                        ... alias_maps = $virtual_alias_maps body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes command_directory = /usr/sbin
                                        Message 19 of 22 , Feb 28, 2007
                                        • 0 Attachment
                                          On 2/28/07, Victor Duchovni <Victor.Duchovni@...> wrote:
                                          > On Wed, Feb 28, 2007 at 08:03:19PM -0300, Eduardo Kienetz wrote:
                                          > > On 2/28/07, mouss <mlist.only@...> wrote:
                                          > > >if you allow relay based on the sender address, then you become an open
                                          > > >relay, because sender addresses may be forged.
                                          > >
                                          > > It is not the case. Have already tested using telnet.
                                          >
                                          > Tests can't prove universal statements, they can only prove existential
                                          > statements.
                                          >
                                          > Testable:
                                          > - This test will succeed
                                          >
                                          > Not testable:
                                          > - All future tests will succeed
                                          >
                                          > Perhaps you should post your final configuraration and explain the choices
                                          > you made and why you believe they are sound.
                                          >
                                          > Viktor.
                                          alias_maps = $virtual_alias_maps
                                          body_checks = regexp:/etc/postfix/body_checks
                                          broken_sasl_auth_clients = yes
                                          command_directory = /usr/sbin
                                          config_directory = /etc/postfix
                                          daemon_directory = /usr/libexec/postfix
                                          debug_peer_level = 2
                                          header_checks = regexp:/etc/postfix/header_checks
                                          home_mailbox = Maildir/
                                          html_directory = /etc/postfix/html
                                          inet_interfaces = all
                                          mail_owner = postfix
                                          mail_spool_directory = /var/spool/mail
                                          mailbox_command = /usr/lib/courier-imap/bin/deliverquota -w 90
                                          10000000S ~/Maildir
                                          mailq_path = /usr/bin/mailq
                                          manpage_directory = /usr/local/man
                                          message_size_limit = 8000000
                                          mydestination = $transport_maps
                                          mydomain = germani.com.br
                                          myhostname = germaniwall.germani.com.br
                                          mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
                                          200.xx.xx.x/32, 201.x.x.x
                                          myorigin = $mydomain
                                          newaliases_path = /usr/bin/newaliases
                                          queue_directory = /var/spool/postfix
                                          readme_directory = /etc/postfix/readme
                                          sample_directory = /etc/postfix
                                          sendmail_path = /usr/sbin/sendmail
                                          setgid_group = postdrop
                                          smtpd_banner = $myhostname ESMTP
                                          smtpd_recipient_restrictions = permit_mynetworks,
                                          check_recipient_access mysql:/etc/postfix/mysql_check_recipients.cf,
                                          permit_sasl_authenticated, reject_unauth_destination,
                                          reject_unauth_pipelining, reject_invalid_hostname
                                          smtpd_sasl_auth_enable = yes
                                          smtpd_sasl_local_domain = $myhostname
                                          smtpd_sasl_security_options = noanonymous
                                          unknown_local_recipient_reject_code = 550
                                          virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                                          virtual_gid_maps = static:102
                                          virtual_mailbox_base = /mails
                                          virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                                          virtual_mailbox_limit = 51200000
                                          virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                          virtual_minimum_uid = 1001
                                          virtual_transport = virtual
                                          virtual_uid_maps = static:1001

                                          Thanks for your consideration,

                                          --
                                          Eduardo Bacchi Kienetz
                                          http://www.noticiaslinux.com.br/eduardo/
                                        • Eduardo Kienetz
                                          ... crap! :) -- Eduardo Bacchi Kienetz http://www.noticiaslinux.com.br/eduardo/
                                          Message 20 of 22 , Feb 28, 2007
                                          • 0 Attachment
                                            > mydomain = germani.com.br
                                            > myhostname = germaniwall.germani.com.br

                                            crap! :)

                                            --
                                            Eduardo Bacchi Kienetz
                                            http://www.noticiaslinux.com.br/eduardo/
                                          • Steven Wayne
                                            ... I don t get it. Steven. -- Your fault -- core dumped
                                            Message 21 of 22 , Mar 1, 2007
                                            • 0 Attachment
                                              On Wed, Feb 28, 2007 at 08:18:48PM -0300, Eduardo Kienetz wrote:
                                              >
                                              > >mydomain = germani.com.br
                                              > >myhostname = germaniwall.germani.com.br
                                              >
                                              > crap! :)
                                              >

                                              I don't get it.

                                              Steven.
                                              --
                                              Your fault -- core dumped
                                            • Eduardo Kienetz
                                              ... Personal server information should not be disclosed to public mailing lists ;) Specially security related stuff. I should have replaced that info but it
                                              Message 22 of 22 , Mar 1, 2007
                                              • 0 Attachment
                                                On 3/1/07, Steven Wayne <postfix-email@...> wrote:
                                                > On Wed, Feb 28, 2007 at 08:18:48PM -0300, Eduardo Kienetz wrote:
                                                > >
                                                > > >mydomain = germani.com.br
                                                > > >myhostname = germaniwall.germani.com.br
                                                > >
                                                > > crap! :)
                                                > >
                                                >
                                                > I don't get it.
                                                >
                                                > Steven.

                                                'Personal' server information should not be disclosed to public mailing lists ;)
                                                Specially security related stuff.
                                                I should have replaced that info but it slipped through.

                                                --
                                                Eduardo Bacchi Kienetz
                                                http://www.noticiaslinux.com.br/eduardo/
                                              Your message has been successfully submitted and would be delivered to recipients shortly.