Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_restriction_classes Question

Expand Messages
  • Eray Aslan
    ... From postconf(5) regarding mynetworks: [...] The list is matched left to right, and the search stops on the first match. [...] You need to reverse the
    Message 1 of 11 , Mar 1, 2007
    • 0 Attachment
      Jan P. Kessler wrote:
      >> I've bought the O'Reilly book about Postfix and I see that I can create
      >> my own restriction classes.
      >> My question is the following: can I use this to choose which computer
      >> are allowed to use my relay server to send mail to Internet and which
      >> are not ?
      >
      > You can BUT you don't need that nuclear rocket to kill some sparrows ;)
      > Just set your mynetworks correctly:
      >
      > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
      > smtpd_recipient_restrictions = permit_mynetworks
      > reject_unauth_destination
      >
      > This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
      > grows you can put that information into files (i'd suggest "cidr" type
      > dbs).

      From postconf(5) regarding mynetworks:

      [...]
      The list is matched left to right, and the search stops on the first match.
      [...]

      You need to reverse the order. !192.168.1.2/32 192.168.1.0/24

      --
      Eray
    • KENNEDY VAN DAM Eric
      ... Sure but it is not so simple. My mail relay is already configured ton only allow some servers to relay but... All of them can relay to the main mail server
      Message 2 of 11 , Mar 1, 2007
      • 0 Attachment
        > -----Message d'origine-----
        > De : Jan P. Kessler [mailto:postfix@...]
        > Envoyé : jeudi 1 mars 2007 10:01
        > À : KENNEDY VAN DAM Eric
        > Cc : postfix
        > Objet : Re: smtpd_restriction_classes Question
        >
        > > I've bought the O'Reilly book about Postfix and I see that
        > I can create
        > > my own restriction classes.
        > > My question is the following: can I use this to choose
        > which computer
        > > are allowed to use my relay server to send mail to Internet
        > and which
        > > are not ?
        >
        > You can BUT you don't need that nuclear rocket to kill some
        > sparrows ;)
        > Just set your mynetworks correctly:
        >
        > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
        > smtpd_recipient_restrictions = permit_mynetworks
        > reject_unauth_destination
        >
        > This allows relaying to 192.168.1/24 but not for .2 and .3.
        > If the list
        > grows you can put that information into files (i'd suggest "cidr" type
        > dbs).
        >
        > note: you might want to add some other fancy restrictions.

        Sure but it is not so simple.
        My mail relay is already configured ton only allow some servers to relay but... All of them can relay to the main mail server and only some of them can relay to the outside (using the external mail relay).

        --
        Kennedy van Dam Eric
        Unix/Storage Team
        Phone: +32 (0)2 529 3375
        Mail: eric.kennedyvandam@...
      • Chuck Amadi
        Hi Eray Aslan Just adding my 50 cents that is what we had implemented to aid domains that you don t want relay mail to add ! mark before the ip address using
        Message 3 of 11 , Mar 1, 2007
        • 0 Attachment
          Hi Eray Aslan

          Just adding my 50 cents that is what we had implemented to aid domains
          that you don't want relay mail to add "!" mark before the ip address
          using the mynetworks directive as below.

          # Contains "!" entries for clients we do not want to relay through here
          even though they are our clients.
          # So add "!" before the ip address of your server in question.
          mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd

          It's clean and simple

          Ta

          Chuck


          wrote:
          > Jan P. Kessler wrote:
          >
          >>> I've bought the O'Reilly book about Postfix and I see that I can create
          >>> my own restriction classes.
          >>> My question is the following: can I use this to choose which computer
          >>> are allowed to use my relay server to send mail to Internet and which
          >>> are not ?
          >>>
          >> You can BUT you don't need that nuclear rocket to kill some sparrows ;)
          >> Just set your mynetworks correctly:
          >>
          >> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
          >> smtpd_recipient_restrictions = permit_mynetworks
          >> reject_unauth_destination
          >>
          >> This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
          >> grows you can put that information into files (i'd suggest "cidr" type
          >> dbs).
          >>
          >
          > From postconf(5) regarding mynetworks:
          >
          > [...]
          > The list is matched left to right, and the search stops on the first match.
          > [...]
          >
          > You need to reverse the order. !192.168.1.2/32 192.168.1.0/24
          >
          >


          --
          Chuck Amadi
          ROK Corporation Limited
          Ty ROK,
          Dyffryn Business Park,
          Llantwit Major Road,
          Llandow,
          Vale Of Glamorgan.
          CF71 7PY

          Tel: 01446 795 839
          Fax: 01446 794 994
          International Tel: +44 1446 795 839

          email: chuck.amadi@...

          This email is confidential to the addressee only. If you do not believe
          that you are the intended recipient, do not pass it on or copy it in any
          way. Please delete it immediately.
        • Chuck Amadi
          Hi I am sorry you have lost me. Your mail servers that act as relays should point to your mail relay server and within the main.cf on the mail relay server add
          Message 4 of 11 , Mar 1, 2007
          • 0 Attachment
            Hi

            I am sorry you have lost me.

            Your mail servers that act as relays should point to your mail relay
            server and within the main.cf on the mail relay server add "!"
            exclamation marks to suit.
            Those that are allowd just add ip address within the mynetworks
            directive there is also another tool you can use called nullmailer as a
            simple andsecure mail programme . The aim is to have a command line
            program sendmail as the only way to send mail good for web servers thus
            you can tighthen things up
            So only root can send mail and only to your mail relay server thre was a
            post on postfix mailing list recommending this program

            Blurb

            Nullmailer is a sendmail/qmail/etc replacement MTA for hosts which relay
            to a fixed set of smart relays. It is designed to be simple to
            configure, secure, and easily extendable.

            http://freshmeat.net/projects/nullmailer/

            Cheers

            huck Amadi wrote:
            > Hi Eray Aslan
            >
            > Just adding my 50 cents that is what we had implemented to aid domains
            > that you don't want relay mail to add "!" mark before the ip address
            > using the mynetworks directive as below.
            >
            > # Contains "!" entries for clients we do not want to relay through
            > here even though they are our clients.
            > # So add "!" before the ip address of your server in question.
            > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd
            >
            > It's clean and simple
            >
            > Ta
            >
            > Chuck
            >
            >
            > wrote:
            >> Jan P. Kessler wrote:
            >>
            >>>> I've bought the O'Reilly book about Postfix and I see that I can
            >>>> create
            >>>> my own restriction classes.
            >>>> My question is the following: can I use this to choose which computer
            >>>> are allowed to use my relay server to send mail to Internet and which
            >>>> are not ?
            >>>>
            >>> You can BUT you don't need that nuclear rocket to kill some sparrows ;)
            >>> Just set your mynetworks correctly:
            >>>
            >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
            >>> smtpd_recipient_restrictions = permit_mynetworks
            >>> reject_unauth_destination
            >>>
            >>> This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
            >>> grows you can put that information into files (i'd suggest "cidr" type
            >>> dbs).
            >>>
            >>
            >> From postconf(5) regarding mynetworks:
            >>
            >> [...]
            >> The list is matched left to right, and the search stops on the first
            >> match.
            >> [...]
            >>
            >> You need to reverse the order. !192.168.1.2/32 192.168.1.0/24
            >>
            >>
            >
            >


            --
            Chuck Amadi
            ROK Corporation Limited
            Ty ROK,
            Dyffryn Business Park,
            Llantwit Major Road,
            Llandow,
            Vale Of Glamorgan.
            CF71 7PY

            Tel: 01446 795 839
            Fax: 01446 794 994
            International Tel: +44 1446 795 839

            email: chuck.amadi@...

            This email is confidential to the addressee only. If you do not believe
            that you are the intended recipient, do not pass it on or copy it in any
            way. Please delete it immediately.
          • Eray Aslan
            ... That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered by www.xxx.www.zzz mynetowroks? Check your main.cf if you did a copy and paste. --
            Message 5 of 11 , Mar 1, 2007
            • 0 Attachment
              Chuck Amadi wrote:
              > Just adding my 50 cents that is what we had implemented to aid domains
              > that you don't want relay mail to add "!" mark before the ip address
              > using the mynetworks directive as below.
              >
              > # Contains "!" entries for clients we do not want to relay through here
              > even though they are our clients.
              > # So add "!" before the ip address of your server in question.
              > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd

              That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered
              by www.xxx.www.zzz

              mynetowroks? Check your main.cf if you did a copy and paste.

              --
              Eray
            • KENNEDY VAN DAM Eric
              ... Ok... I ll try to be more explicit :) Server1 _ Server2 _ _______ Internal-Mail-server Server3 __ ______ Internal-relay _/ Server4
              Message 6 of 11 , Mar 1, 2007
              • 0 Attachment
                > -----Message d'origine-----
                > De : KENNEDY VAN DAM Eric
                > Envoyé : jeudi 1 mars 2007 11:34
                > À : postfix
                > Objet : RE: smtpd_restriction_classes Question
                >
                >
                > > -----Message d'origine-----
                > > De : Jan P. Kessler [mailto:postfix@...]
                > > Envoyé : jeudi 1 mars 2007 10:01
                > > À : KENNEDY VAN DAM Eric
                > > Cc : postfix
                > > Objet : Re: smtpd_restriction_classes Question
                > >
                > > > I've bought the O'Reilly book about Postfix and I see that
                > > I can create
                > > > my own restriction classes.
                > > > My question is the following: can I use this to choose
                > > which computer
                > > > are allowed to use my relay server to send mail to Internet
                > > and which
                > > > are not ?
                > >
                > > You can BUT you don't need that nuclear rocket to kill some
                > > sparrows ;)
                > > Just set your mynetworks correctly:
                > >
                > > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
                > > smtpd_recipient_restrictions = permit_mynetworks
                > > reject_unauth_destination
                > >
                > > This allows relaying to 192.168.1/24 but not for .2 and .3.
                > > If the list
                > > grows you can put that information into files (i'd suggest
                > "cidr" type
                > > dbs).
                > >
                > > note: you might want to add some other fancy restrictions.
                >
                > Sure but it is not so simple.
                > My mail relay is already configured ton only allow some
                > servers to relay but... All of them can relay to the main
                > mail server and only some of them can relay to the outside
                > (using the external mail relay).

                Ok... I'll try to be more explicit :)


                Server1 _
                Server2 _\ _______ Internal-Mail-server
                Server3 __\______ Internal-relay _/
                Server4 __/ \_______ External-Relay
                Server5 _/

                All the servers MUST use Internal-relay
                Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server

                Can this works ?
                In main.cf:
                -----------

                Smtpd_restrictions_classes = insiders,outsiders
                Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
                Outsiders = permit_mynetwork
                Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders

                In /etc/postfix/insiders-outsiders:
                -----------------------------------
                Server1 outsiders
                Server2 insiders
                Server3 insiders
                Server4 outsiders
                Server5 insiders

                In /etc/postfix/mail-domains:
                -----------------------------
                @... ACCEPT
                @... ACCEPT
                @... ACCEPT

                If it won't work, what can you suggest ? Maybe something easier ?
                Thanks anyway

                --
                Kennedy van Dam Eric
                Unix/Storage Team
                Phone: +32 (0)2 529 3375
                Mail: eric.kennedyvandam@...
              • mouss
                ... remove reject_unauth_destination from here. ... add reject_unauth_destination here. Hint1: what would postfix do for clients that are not listed in your
                Message 7 of 11 , Mar 1, 2007
                • 0 Attachment
                  KENNEDY VAN DAM Eric wrote:
                  >
                  >
                  >> -----Message d'origine-----
                  >> De : KENNEDY VAN DAM Eric
                  >> Envoyé : jeudi 1 mars 2007 11:34
                  >> À : postfix
                  >> Objet : RE: smtpd_restriction_classes Question
                  >>
                  >>
                  >>
                  >>> -----Message d'origine-----
                  >>> De : Jan P. Kessler [mailto:postfix@...]
                  >>> Envoyé : jeudi 1 mars 2007 10:01
                  >>> À : KENNEDY VAN DAM Eric
                  >>> Cc : postfix
                  >>> Objet : Re: smtpd_restriction_classes Question
                  >>>
                  >>>
                  >>>> I've bought the O'Reilly book about Postfix and I see that
                  >>>>
                  >>> I can create
                  >>>
                  >>>> my own restriction classes.
                  >>>> My question is the following: can I use this to choose
                  >>>>
                  >>> which computer
                  >>>
                  >>>> are allowed to use my relay server to send mail to Internet
                  >>>>
                  >>> and which
                  >>>
                  >>>> are not ?
                  >>>>
                  >>> You can BUT you don't need that nuclear rocket to kill some
                  >>> sparrows ;)
                  >>> Just set your mynetworks correctly:
                  >>>
                  >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
                  >>> smtpd_recipient_restrictions = permit_mynetworks
                  >>> reject_unauth_destination
                  >>>
                  >>> This allows relaying to 192.168.1/24 but not for .2 and .3.
                  >>> If the list
                  >>> grows you can put that information into files (i'd suggest
                  >>>
                  >> "cidr" type
                  >>
                  >>> dbs).
                  >>>
                  >>> note: you might want to add some other fancy restrictions.
                  >>>
                  >> Sure but it is not so simple.
                  >> My mail relay is already configured ton only allow some
                  >> servers to relay but... All of them can relay to the main
                  >> mail server and only some of them can relay to the outside
                  >> (using the external mail relay).
                  >>
                  >
                  > Ok... I'll try to be more explicit :)
                  >
                  >
                  > Server1 _
                  > Server2 _\ _______ Internal-Mail-server
                  > Server3 __\______ Internal-relay _/
                  > Server4 __/ \_______ External-Relay
                  > Server5 _/
                  >
                  > All the servers MUST use Internal-relay
                  > Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server
                  >
                  > Can this works ?
                  > In main.cf:
                  > -----------
                  >
                  > Smtpd_restrictions_classes = insiders,outsiders
                  > Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
                  >
                  remove reject_unauth_destination from here.

                  > Outsiders = permit_mynetwork
                  > Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders
                  >

                  add reject_unauth_destination here.

                  Hint1: what would postfix do for clients that are not listed in your
                  insiders-outsiders?
                  Hint2: postfix doesn't accept (even if only apparently) open
                  smtpd_recipient_restrictions

                  > In /etc/postfix/insiders-outsiders:
                  > -----------------------------------
                  > Server1 outsiders
                  > Server2 insiders
                  > Server3 insiders
                  > Server4 outsiders
                  > Server5 insiders
                  >
                  > In /etc/postfix/mail-domains:
                  > -----------------------------
                  > @... ACCEPT
                  > @... ACCEPT
                  > @... ACCEPT
                  >

                  remove the '@'. reread the access man page for the format of entries.
                • KENNEDY VAN DAM Eric
                  ... Ok, I see. I need to modify my configuration as well. Still one question: Can I define 2 files in mynetworks like this : mynetworks =
                  Message 8 of 11 , Mar 6, 2007
                  • 0 Attachment
                    > >
                    > >
                    > > Server1 _
                    > > Server2 _\ _______ Internal-Mail-server
                    > > Server3 __\______ Internal-relay _/
                    > > Server4 __/ \_______ External-Relay
                    > > Server5 _/
                    >
                    > Is "Internal-relay" a postfix system? Then you can still
                    > achieve this with
                    >
                    > mynetworks = !Server2, !Server3, !Server5, server-subnet/24
                    >
                    > smtpd_recipient_restrictions = permit_mynetworks
                    > reject_unauth_destination
                    >
                    > on that system. Your internal domain must be in relay_domains. Then
                    > Servers 2, 3 and 5 will be able to mail internally, Server1
                    > and 4 will be
                    > able to send to the internet.
                    >
                    > I would not use sender addresses for that because these can
                    > easily be forged.
                    >
                    > Regards, Jan
                    >
                    >

                    Ok, I see. I need to modify my configuration as well. Still one
                    question:

                    Can I define 2 files in mynetworks like this :

                    mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

                    With Ip adresses in the files ?

                    Will this work or should I define
                    mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders
                    With "!ip_addresses" in the insiders file and "ip_adresses" in the
                    outsiders file ?

                    Thanks for your help.
                    --
                    Kennedy van Dam Eric
                    Unix/Storage Team
                    Phone: +32 (0)2 529 3375
                    Mail: eric.kennedyvandam@...
                  • Noel Jones
                    ... Yes, that will work with postfix 2.4 or later. (postfix 2.4 required for !/file/name) ... With a hash file, each IP is listed individually. Just leave
                    Message 9 of 11 , Mar 6, 2007
                    • 0 Attachment
                      At 03:21 AM 3/6/2007, KENNEDY VAN DAM Eric wrote:
                      > > >
                      >Ok, I see. I need to modify my configuration as well. Still one
                      >question:
                      >
                      >Can I define 2 files in mynetworks like this :
                      >
                      > mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

                      Yes, that will work with postfix 2.4 or later. (postfix 2.4 required
                      for !/file/name)

                      >Will this work or should I define
                      > mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders

                      With a hash file, each IP is listed individually. Just leave out the
                      IPs you don't want included.

                      --
                      Noel Jones
                    Your message has been successfully submitted and would be delivered to recipients shortly.