Loading ...
Sorry, an error occurred while loading the content.
 

Re: smtpd_restriction_classes Question

Expand Messages
  • Jan P. Kessler
    ... You can BUT you don t need that nuclear rocket to kill some sparrows ;) Just set your mynetworks correctly: mynetworks = 192.168.1.0/24, !192.168.1.2,
    Message 1 of 11 , Mar 1, 2007
      > I've bought the O'Reilly book about Postfix and I see that I can create
      > my own restriction classes.
      > My question is the following: can I use this to choose which computer
      > are allowed to use my relay server to send mail to Internet and which
      > are not ?

      You can BUT you don't need that nuclear rocket to kill some sparrows ;)
      Just set your mynetworks correctly:

      mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
      smtpd_recipient_restrictions = permit_mynetworks
      reject_unauth_destination

      This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
      grows you can put that information into files (i'd suggest "cidr" type
      dbs).

      note: you might want to add some other fancy restrictions.
    • Eray Aslan
      ... From postconf(5) regarding mynetworks: [...] The list is matched left to right, and the search stops on the first match. [...] You need to reverse the
      Message 2 of 11 , Mar 1, 2007
        Jan P. Kessler wrote:
        >> I've bought the O'Reilly book about Postfix and I see that I can create
        >> my own restriction classes.
        >> My question is the following: can I use this to choose which computer
        >> are allowed to use my relay server to send mail to Internet and which
        >> are not ?
        >
        > You can BUT you don't need that nuclear rocket to kill some sparrows ;)
        > Just set your mynetworks correctly:
        >
        > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
        > smtpd_recipient_restrictions = permit_mynetworks
        > reject_unauth_destination
        >
        > This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
        > grows you can put that information into files (i'd suggest "cidr" type
        > dbs).

        From postconf(5) regarding mynetworks:

        [...]
        The list is matched left to right, and the search stops on the first match.
        [...]

        You need to reverse the order. !192.168.1.2/32 192.168.1.0/24

        --
        Eray
      • KENNEDY VAN DAM Eric
        ... Sure but it is not so simple. My mail relay is already configured ton only allow some servers to relay but... All of them can relay to the main mail server
        Message 3 of 11 , Mar 1, 2007
          > -----Message d'origine-----
          > De : Jan P. Kessler [mailto:postfix@...]
          > Envoyé : jeudi 1 mars 2007 10:01
          > À : KENNEDY VAN DAM Eric
          > Cc : postfix
          > Objet : Re: smtpd_restriction_classes Question
          >
          > > I've bought the O'Reilly book about Postfix and I see that
          > I can create
          > > my own restriction classes.
          > > My question is the following: can I use this to choose
          > which computer
          > > are allowed to use my relay server to send mail to Internet
          > and which
          > > are not ?
          >
          > You can BUT you don't need that nuclear rocket to kill some
          > sparrows ;)
          > Just set your mynetworks correctly:
          >
          > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
          > smtpd_recipient_restrictions = permit_mynetworks
          > reject_unauth_destination
          >
          > This allows relaying to 192.168.1/24 but not for .2 and .3.
          > If the list
          > grows you can put that information into files (i'd suggest "cidr" type
          > dbs).
          >
          > note: you might want to add some other fancy restrictions.

          Sure but it is not so simple.
          My mail relay is already configured ton only allow some servers to relay but... All of them can relay to the main mail server and only some of them can relay to the outside (using the external mail relay).

          --
          Kennedy van Dam Eric
          Unix/Storage Team
          Phone: +32 (0)2 529 3375
          Mail: eric.kennedyvandam@...
        • Chuck Amadi
          Hi Eray Aslan Just adding my 50 cents that is what we had implemented to aid domains that you don t want relay mail to add ! mark before the ip address using
          Message 4 of 11 , Mar 1, 2007
            Hi Eray Aslan

            Just adding my 50 cents that is what we had implemented to aid domains
            that you don't want relay mail to add "!" mark before the ip address
            using the mynetworks directive as below.

            # Contains "!" entries for clients we do not want to relay through here
            even though they are our clients.
            # So add "!" before the ip address of your server in question.
            mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd

            It's clean and simple

            Ta

            Chuck


            wrote:
            > Jan P. Kessler wrote:
            >
            >>> I've bought the O'Reilly book about Postfix and I see that I can create
            >>> my own restriction classes.
            >>> My question is the following: can I use this to choose which computer
            >>> are allowed to use my relay server to send mail to Internet and which
            >>> are not ?
            >>>
            >> You can BUT you don't need that nuclear rocket to kill some sparrows ;)
            >> Just set your mynetworks correctly:
            >>
            >> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
            >> smtpd_recipient_restrictions = permit_mynetworks
            >> reject_unauth_destination
            >>
            >> This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
            >> grows you can put that information into files (i'd suggest "cidr" type
            >> dbs).
            >>
            >
            > From postconf(5) regarding mynetworks:
            >
            > [...]
            > The list is matched left to right, and the search stops on the first match.
            > [...]
            >
            > You need to reverse the order. !192.168.1.2/32 192.168.1.0/24
            >
            >


            --
            Chuck Amadi
            ROK Corporation Limited
            Ty ROK,
            Dyffryn Business Park,
            Llantwit Major Road,
            Llandow,
            Vale Of Glamorgan.
            CF71 7PY

            Tel: 01446 795 839
            Fax: 01446 794 994
            International Tel: +44 1446 795 839

            email: chuck.amadi@...

            This email is confidential to the addressee only. If you do not believe
            that you are the intended recipient, do not pass it on or copy it in any
            way. Please delete it immediately.
          • Chuck Amadi
            Hi I am sorry you have lost me. Your mail servers that act as relays should point to your mail relay server and within the main.cf on the mail relay server add
            Message 5 of 11 , Mar 1, 2007
              Hi

              I am sorry you have lost me.

              Your mail servers that act as relays should point to your mail relay
              server and within the main.cf on the mail relay server add "!"
              exclamation marks to suit.
              Those that are allowd just add ip address within the mynetworks
              directive there is also another tool you can use called nullmailer as a
              simple andsecure mail programme . The aim is to have a command line
              program sendmail as the only way to send mail good for web servers thus
              you can tighthen things up
              So only root can send mail and only to your mail relay server thre was a
              post on postfix mailing list recommending this program

              Blurb

              Nullmailer is a sendmail/qmail/etc replacement MTA for hosts which relay
              to a fixed set of smart relays. It is designed to be simple to
              configure, secure, and easily extendable.

              http://freshmeat.net/projects/nullmailer/

              Cheers

              huck Amadi wrote:
              > Hi Eray Aslan
              >
              > Just adding my 50 cents that is what we had implemented to aid domains
              > that you don't want relay mail to add "!" mark before the ip address
              > using the mynetworks directive as below.
              >
              > # Contains "!" entries for clients we do not want to relay through
              > here even though they are our clients.
              > # So add "!" before the ip address of your server in question.
              > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd
              >
              > It's clean and simple
              >
              > Ta
              >
              > Chuck
              >
              >
              > wrote:
              >> Jan P. Kessler wrote:
              >>
              >>>> I've bought the O'Reilly book about Postfix and I see that I can
              >>>> create
              >>>> my own restriction classes.
              >>>> My question is the following: can I use this to choose which computer
              >>>> are allowed to use my relay server to send mail to Internet and which
              >>>> are not ?
              >>>>
              >>> You can BUT you don't need that nuclear rocket to kill some sparrows ;)
              >>> Just set your mynetworks correctly:
              >>>
              >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
              >>> smtpd_recipient_restrictions = permit_mynetworks
              >>> reject_unauth_destination
              >>>
              >>> This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
              >>> grows you can put that information into files (i'd suggest "cidr" type
              >>> dbs).
              >>>
              >>
              >> From postconf(5) regarding mynetworks:
              >>
              >> [...]
              >> The list is matched left to right, and the search stops on the first
              >> match.
              >> [...]
              >>
              >> You need to reverse the order. !192.168.1.2/32 192.168.1.0/24
              >>
              >>
              >
              >


              --
              Chuck Amadi
              ROK Corporation Limited
              Ty ROK,
              Dyffryn Business Park,
              Llantwit Major Road,
              Llandow,
              Vale Of Glamorgan.
              CF71 7PY

              Tel: 01446 795 839
              Fax: 01446 794 994
              International Tel: +44 1446 795 839

              email: chuck.amadi@...

              This email is confidential to the addressee only. If you do not believe
              that you are the intended recipient, do not pass it on or copy it in any
              way. Please delete it immediately.
            • Eray Aslan
              ... That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered by www.xxx.www.zzz mynetowroks? Check your main.cf if you did a copy and paste. --
              Message 6 of 11 , Mar 1, 2007
                Chuck Amadi wrote:
                > Just adding my 50 cents that is what we had implemented to aid domains
                > that you don't want relay mail to add "!" mark before the ip address
                > using the mynetworks directive as below.
                >
                > # Contains "!" entries for clients we do not want to relay through here
                > even though they are our clients.
                > # So add "!" before the ip address of your server in question.
                > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd

                That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered
                by www.xxx.www.zzz

                mynetowroks? Check your main.cf if you did a copy and paste.

                --
                Eray
              • KENNEDY VAN DAM Eric
                ... Ok... I ll try to be more explicit :) Server1 _ Server2 _ _______ Internal-Mail-server Server3 __ ______ Internal-relay _/ Server4
                Message 7 of 11 , Mar 1, 2007
                  > -----Message d'origine-----
                  > De : KENNEDY VAN DAM Eric
                  > Envoyé : jeudi 1 mars 2007 11:34
                  > À : postfix
                  > Objet : RE: smtpd_restriction_classes Question
                  >
                  >
                  > > -----Message d'origine-----
                  > > De : Jan P. Kessler [mailto:postfix@...]
                  > > Envoyé : jeudi 1 mars 2007 10:01
                  > > À : KENNEDY VAN DAM Eric
                  > > Cc : postfix
                  > > Objet : Re: smtpd_restriction_classes Question
                  > >
                  > > > I've bought the O'Reilly book about Postfix and I see that
                  > > I can create
                  > > > my own restriction classes.
                  > > > My question is the following: can I use this to choose
                  > > which computer
                  > > > are allowed to use my relay server to send mail to Internet
                  > > and which
                  > > > are not ?
                  > >
                  > > You can BUT you don't need that nuclear rocket to kill some
                  > > sparrows ;)
                  > > Just set your mynetworks correctly:
                  > >
                  > > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
                  > > smtpd_recipient_restrictions = permit_mynetworks
                  > > reject_unauth_destination
                  > >
                  > > This allows relaying to 192.168.1/24 but not for .2 and .3.
                  > > If the list
                  > > grows you can put that information into files (i'd suggest
                  > "cidr" type
                  > > dbs).
                  > >
                  > > note: you might want to add some other fancy restrictions.
                  >
                  > Sure but it is not so simple.
                  > My mail relay is already configured ton only allow some
                  > servers to relay but... All of them can relay to the main
                  > mail server and only some of them can relay to the outside
                  > (using the external mail relay).

                  Ok... I'll try to be more explicit :)


                  Server1 _
                  Server2 _\ _______ Internal-Mail-server
                  Server3 __\______ Internal-relay _/
                  Server4 __/ \_______ External-Relay
                  Server5 _/

                  All the servers MUST use Internal-relay
                  Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server

                  Can this works ?
                  In main.cf:
                  -----------

                  Smtpd_restrictions_classes = insiders,outsiders
                  Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
                  Outsiders = permit_mynetwork
                  Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders

                  In /etc/postfix/insiders-outsiders:
                  -----------------------------------
                  Server1 outsiders
                  Server2 insiders
                  Server3 insiders
                  Server4 outsiders
                  Server5 insiders

                  In /etc/postfix/mail-domains:
                  -----------------------------
                  @... ACCEPT
                  @... ACCEPT
                  @... ACCEPT

                  If it won't work, what can you suggest ? Maybe something easier ?
                  Thanks anyway

                  --
                  Kennedy van Dam Eric
                  Unix/Storage Team
                  Phone: +32 (0)2 529 3375
                  Mail: eric.kennedyvandam@...
                • mouss
                  ... remove reject_unauth_destination from here. ... add reject_unauth_destination here. Hint1: what would postfix do for clients that are not listed in your
                  Message 8 of 11 , Mar 1, 2007
                    KENNEDY VAN DAM Eric wrote:
                    >
                    >
                    >> -----Message d'origine-----
                    >> De : KENNEDY VAN DAM Eric
                    >> Envoyé : jeudi 1 mars 2007 11:34
                    >> À : postfix
                    >> Objet : RE: smtpd_restriction_classes Question
                    >>
                    >>
                    >>
                    >>> -----Message d'origine-----
                    >>> De : Jan P. Kessler [mailto:postfix@...]
                    >>> Envoyé : jeudi 1 mars 2007 10:01
                    >>> À : KENNEDY VAN DAM Eric
                    >>> Cc : postfix
                    >>> Objet : Re: smtpd_restriction_classes Question
                    >>>
                    >>>
                    >>>> I've bought the O'Reilly book about Postfix and I see that
                    >>>>
                    >>> I can create
                    >>>
                    >>>> my own restriction classes.
                    >>>> My question is the following: can I use this to choose
                    >>>>
                    >>> which computer
                    >>>
                    >>>> are allowed to use my relay server to send mail to Internet
                    >>>>
                    >>> and which
                    >>>
                    >>>> are not ?
                    >>>>
                    >>> You can BUT you don't need that nuclear rocket to kill some
                    >>> sparrows ;)
                    >>> Just set your mynetworks correctly:
                    >>>
                    >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
                    >>> smtpd_recipient_restrictions = permit_mynetworks
                    >>> reject_unauth_destination
                    >>>
                    >>> This allows relaying to 192.168.1/24 but not for .2 and .3.
                    >>> If the list
                    >>> grows you can put that information into files (i'd suggest
                    >>>
                    >> "cidr" type
                    >>
                    >>> dbs).
                    >>>
                    >>> note: you might want to add some other fancy restrictions.
                    >>>
                    >> Sure but it is not so simple.
                    >> My mail relay is already configured ton only allow some
                    >> servers to relay but... All of them can relay to the main
                    >> mail server and only some of them can relay to the outside
                    >> (using the external mail relay).
                    >>
                    >
                    > Ok... I'll try to be more explicit :)
                    >
                    >
                    > Server1 _
                    > Server2 _\ _______ Internal-Mail-server
                    > Server3 __\______ Internal-relay _/
                    > Server4 __/ \_______ External-Relay
                    > Server5 _/
                    >
                    > All the servers MUST use Internal-relay
                    > Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server
                    >
                    > Can this works ?
                    > In main.cf:
                    > -----------
                    >
                    > Smtpd_restrictions_classes = insiders,outsiders
                    > Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
                    >
                    remove reject_unauth_destination from here.

                    > Outsiders = permit_mynetwork
                    > Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders
                    >

                    add reject_unauth_destination here.

                    Hint1: what would postfix do for clients that are not listed in your
                    insiders-outsiders?
                    Hint2: postfix doesn't accept (even if only apparently) open
                    smtpd_recipient_restrictions

                    > In /etc/postfix/insiders-outsiders:
                    > -----------------------------------
                    > Server1 outsiders
                    > Server2 insiders
                    > Server3 insiders
                    > Server4 outsiders
                    > Server5 insiders
                    >
                    > In /etc/postfix/mail-domains:
                    > -----------------------------
                    > @... ACCEPT
                    > @... ACCEPT
                    > @... ACCEPT
                    >

                    remove the '@'. reread the access man page for the format of entries.
                  • KENNEDY VAN DAM Eric
                    ... Ok, I see. I need to modify my configuration as well. Still one question: Can I define 2 files in mynetworks like this : mynetworks =
                    Message 9 of 11 , Mar 6, 2007
                      > >
                      > >
                      > > Server1 _
                      > > Server2 _\ _______ Internal-Mail-server
                      > > Server3 __\______ Internal-relay _/
                      > > Server4 __/ \_______ External-Relay
                      > > Server5 _/
                      >
                      > Is "Internal-relay" a postfix system? Then you can still
                      > achieve this with
                      >
                      > mynetworks = !Server2, !Server3, !Server5, server-subnet/24
                      >
                      > smtpd_recipient_restrictions = permit_mynetworks
                      > reject_unauth_destination
                      >
                      > on that system. Your internal domain must be in relay_domains. Then
                      > Servers 2, 3 and 5 will be able to mail internally, Server1
                      > and 4 will be
                      > able to send to the internet.
                      >
                      > I would not use sender addresses for that because these can
                      > easily be forged.
                      >
                      > Regards, Jan
                      >
                      >

                      Ok, I see. I need to modify my configuration as well. Still one
                      question:

                      Can I define 2 files in mynetworks like this :

                      mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

                      With Ip adresses in the files ?

                      Will this work or should I define
                      mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders
                      With "!ip_addresses" in the insiders file and "ip_adresses" in the
                      outsiders file ?

                      Thanks for your help.
                      --
                      Kennedy van Dam Eric
                      Unix/Storage Team
                      Phone: +32 (0)2 529 3375
                      Mail: eric.kennedyvandam@...
                    • Noel Jones
                      ... Yes, that will work with postfix 2.4 or later. (postfix 2.4 required for !/file/name) ... With a hash file, each IP is listed individually. Just leave
                      Message 10 of 11 , Mar 6, 2007
                        At 03:21 AM 3/6/2007, KENNEDY VAN DAM Eric wrote:
                        > > >
                        >Ok, I see. I need to modify my configuration as well. Still one
                        >question:
                        >
                        >Can I define 2 files in mynetworks like this :
                        >
                        > mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

                        Yes, that will work with postfix 2.4 or later. (postfix 2.4 required
                        for !/file/name)

                        >Will this work or should I define
                        > mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders

                        With a hash file, each IP is listed individually. Just leave out the
                        IPs you don't want included.

                        --
                        Noel Jones
                      Your message has been successfully submitted and would be delivered to recipients shortly.