Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_restriction_classes Question

Expand Messages
  • Chuck Amadi
    Hi I am sorry you have lost me. Your mail servers that act as relays should point to your mail relay server and within the main.cf on the mail relay server add
    Message 1 of 11 , Mar 1, 2007
    • 0 Attachment
      Hi

      I am sorry you have lost me.

      Your mail servers that act as relays should point to your mail relay
      server and within the main.cf on the mail relay server add "!"
      exclamation marks to suit.
      Those that are allowd just add ip address within the mynetworks
      directive there is also another tool you can use called nullmailer as a
      simple andsecure mail programme . The aim is to have a command line
      program sendmail as the only way to send mail good for web servers thus
      you can tighthen things up
      So only root can send mail and only to your mail relay server thre was a
      post on postfix mailing list recommending this program

      Blurb

      Nullmailer is a sendmail/qmail/etc replacement MTA for hosts which relay
      to a fixed set of smart relays. It is designed to be simple to
      configure, secure, and easily extendable.

      http://freshmeat.net/projects/nullmailer/

      Cheers

      huck Amadi wrote:
      > Hi Eray Aslan
      >
      > Just adding my 50 cents that is what we had implemented to aid domains
      > that you don't want relay mail to add "!" mark before the ip address
      > using the mynetworks directive as below.
      >
      > # Contains "!" entries for clients we do not want to relay through
      > here even though they are our clients.
      > # So add "!" before the ip address of your server in question.
      > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd
      >
      > It's clean and simple
      >
      > Ta
      >
      > Chuck
      >
      >
      > wrote:
      >> Jan P. Kessler wrote:
      >>
      >>>> I've bought the O'Reilly book about Postfix and I see that I can
      >>>> create
      >>>> my own restriction classes.
      >>>> My question is the following: can I use this to choose which computer
      >>>> are allowed to use my relay server to send mail to Internet and which
      >>>> are not ?
      >>>>
      >>> You can BUT you don't need that nuclear rocket to kill some sparrows ;)
      >>> Just set your mynetworks correctly:
      >>>
      >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
      >>> smtpd_recipient_restrictions = permit_mynetworks
      >>> reject_unauth_destination
      >>>
      >>> This allows relaying to 192.168.1/24 but not for .2 and .3. If the list
      >>> grows you can put that information into files (i'd suggest "cidr" type
      >>> dbs).
      >>>
      >>
      >> From postconf(5) regarding mynetworks:
      >>
      >> [...]
      >> The list is matched left to right, and the search stops on the first
      >> match.
      >> [...]
      >>
      >> You need to reverse the order. !192.168.1.2/32 192.168.1.0/24
      >>
      >>
      >
      >


      --
      Chuck Amadi
      ROK Corporation Limited
      Ty ROK,
      Dyffryn Business Park,
      Llantwit Major Road,
      Llandow,
      Vale Of Glamorgan.
      CF71 7PY

      Tel: 01446 795 839
      Fax: 01446 794 994
      International Tel: +44 1446 795 839

      email: chuck.amadi@...

      This email is confidential to the addressee only. If you do not believe
      that you are the intended recipient, do not pass it on or copy it in any
      way. Please delete it immediately.
    • Eray Aslan
      ... That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered by www.xxx.www.zzz mynetowroks? Check your main.cf if you did a copy and paste. --
      Message 2 of 11 , Mar 1, 2007
      • 0 Attachment
        Chuck Amadi wrote:
        > Just adding my 50 cents that is what we had implemented to aid domains
        > that you don't want relay mail to add "!" mark before the ip address
        > using the mynetworks directive as below.
        >
        > # Contains "!" entries for clients we do not want to relay through here
        > even though they are our clients.
        > # So add "!" before the ip address of your server in question.
        > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd

        That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered
        by www.xxx.www.zzz

        mynetowroks? Check your main.cf if you did a copy and paste.

        --
        Eray
      • KENNEDY VAN DAM Eric
        ... Ok... I ll try to be more explicit :) Server1 _ Server2 _ _______ Internal-Mail-server Server3 __ ______ Internal-relay _/ Server4
        Message 3 of 11 , Mar 1, 2007
        • 0 Attachment
          > -----Message d'origine-----
          > De : KENNEDY VAN DAM Eric
          > Envoyé : jeudi 1 mars 2007 11:34
          > À : postfix
          > Objet : RE: smtpd_restriction_classes Question
          >
          >
          > > -----Message d'origine-----
          > > De : Jan P. Kessler [mailto:postfix@...]
          > > Envoyé : jeudi 1 mars 2007 10:01
          > > À : KENNEDY VAN DAM Eric
          > > Cc : postfix
          > > Objet : Re: smtpd_restriction_classes Question
          > >
          > > > I've bought the O'Reilly book about Postfix and I see that
          > > I can create
          > > > my own restriction classes.
          > > > My question is the following: can I use this to choose
          > > which computer
          > > > are allowed to use my relay server to send mail to Internet
          > > and which
          > > > are not ?
          > >
          > > You can BUT you don't need that nuclear rocket to kill some
          > > sparrows ;)
          > > Just set your mynetworks correctly:
          > >
          > > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
          > > smtpd_recipient_restrictions = permit_mynetworks
          > > reject_unauth_destination
          > >
          > > This allows relaying to 192.168.1/24 but not for .2 and .3.
          > > If the list
          > > grows you can put that information into files (i'd suggest
          > "cidr" type
          > > dbs).
          > >
          > > note: you might want to add some other fancy restrictions.
          >
          > Sure but it is not so simple.
          > My mail relay is already configured ton only allow some
          > servers to relay but... All of them can relay to the main
          > mail server and only some of them can relay to the outside
          > (using the external mail relay).

          Ok... I'll try to be more explicit :)


          Server1 _
          Server2 _\ _______ Internal-Mail-server
          Server3 __\______ Internal-relay _/
          Server4 __/ \_______ External-Relay
          Server5 _/

          All the servers MUST use Internal-relay
          Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server

          Can this works ?
          In main.cf:
          -----------

          Smtpd_restrictions_classes = insiders,outsiders
          Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
          Outsiders = permit_mynetwork
          Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders

          In /etc/postfix/insiders-outsiders:
          -----------------------------------
          Server1 outsiders
          Server2 insiders
          Server3 insiders
          Server4 outsiders
          Server5 insiders

          In /etc/postfix/mail-domains:
          -----------------------------
          @... ACCEPT
          @... ACCEPT
          @... ACCEPT

          If it won't work, what can you suggest ? Maybe something easier ?
          Thanks anyway

          --
          Kennedy van Dam Eric
          Unix/Storage Team
          Phone: +32 (0)2 529 3375
          Mail: eric.kennedyvandam@...
        • mouss
          ... remove reject_unauth_destination from here. ... add reject_unauth_destination here. Hint1: what would postfix do for clients that are not listed in your
          Message 4 of 11 , Mar 1, 2007
          • 0 Attachment
            KENNEDY VAN DAM Eric wrote:
            >
            >
            >> -----Message d'origine-----
            >> De : KENNEDY VAN DAM Eric
            >> Envoyé : jeudi 1 mars 2007 11:34
            >> À : postfix
            >> Objet : RE: smtpd_restriction_classes Question
            >>
            >>
            >>
            >>> -----Message d'origine-----
            >>> De : Jan P. Kessler [mailto:postfix@...]
            >>> Envoyé : jeudi 1 mars 2007 10:01
            >>> À : KENNEDY VAN DAM Eric
            >>> Cc : postfix
            >>> Objet : Re: smtpd_restriction_classes Question
            >>>
            >>>
            >>>> I've bought the O'Reilly book about Postfix and I see that
            >>>>
            >>> I can create
            >>>
            >>>> my own restriction classes.
            >>>> My question is the following: can I use this to choose
            >>>>
            >>> which computer
            >>>
            >>>> are allowed to use my relay server to send mail to Internet
            >>>>
            >>> and which
            >>>
            >>>> are not ?
            >>>>
            >>> You can BUT you don't need that nuclear rocket to kill some
            >>> sparrows ;)
            >>> Just set your mynetworks correctly:
            >>>
            >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
            >>> smtpd_recipient_restrictions = permit_mynetworks
            >>> reject_unauth_destination
            >>>
            >>> This allows relaying to 192.168.1/24 but not for .2 and .3.
            >>> If the list
            >>> grows you can put that information into files (i'd suggest
            >>>
            >> "cidr" type
            >>
            >>> dbs).
            >>>
            >>> note: you might want to add some other fancy restrictions.
            >>>
            >> Sure but it is not so simple.
            >> My mail relay is already configured ton only allow some
            >> servers to relay but... All of them can relay to the main
            >> mail server and only some of them can relay to the outside
            >> (using the external mail relay).
            >>
            >
            > Ok... I'll try to be more explicit :)
            >
            >
            > Server1 _
            > Server2 _\ _______ Internal-Mail-server
            > Server3 __\______ Internal-relay _/
            > Server4 __/ \_______ External-Relay
            > Server5 _/
            >
            > All the servers MUST use Internal-relay
            > Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server
            >
            > Can this works ?
            > In main.cf:
            > -----------
            >
            > Smtpd_restrictions_classes = insiders,outsiders
            > Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
            >
            remove reject_unauth_destination from here.

            > Outsiders = permit_mynetwork
            > Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders
            >

            add reject_unauth_destination here.

            Hint1: what would postfix do for clients that are not listed in your
            insiders-outsiders?
            Hint2: postfix doesn't accept (even if only apparently) open
            smtpd_recipient_restrictions

            > In /etc/postfix/insiders-outsiders:
            > -----------------------------------
            > Server1 outsiders
            > Server2 insiders
            > Server3 insiders
            > Server4 outsiders
            > Server5 insiders
            >
            > In /etc/postfix/mail-domains:
            > -----------------------------
            > @... ACCEPT
            > @... ACCEPT
            > @... ACCEPT
            >

            remove the '@'. reread the access man page for the format of entries.
          • KENNEDY VAN DAM Eric
            ... Ok, I see. I need to modify my configuration as well. Still one question: Can I define 2 files in mynetworks like this : mynetworks =
            Message 5 of 11 , Mar 6, 2007
            • 0 Attachment
              > >
              > >
              > > Server1 _
              > > Server2 _\ _______ Internal-Mail-server
              > > Server3 __\______ Internal-relay _/
              > > Server4 __/ \_______ External-Relay
              > > Server5 _/
              >
              > Is "Internal-relay" a postfix system? Then you can still
              > achieve this with
              >
              > mynetworks = !Server2, !Server3, !Server5, server-subnet/24
              >
              > smtpd_recipient_restrictions = permit_mynetworks
              > reject_unauth_destination
              >
              > on that system. Your internal domain must be in relay_domains. Then
              > Servers 2, 3 and 5 will be able to mail internally, Server1
              > and 4 will be
              > able to send to the internet.
              >
              > I would not use sender addresses for that because these can
              > easily be forged.
              >
              > Regards, Jan
              >
              >

              Ok, I see. I need to modify my configuration as well. Still one
              question:

              Can I define 2 files in mynetworks like this :

              mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

              With Ip adresses in the files ?

              Will this work or should I define
              mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders
              With "!ip_addresses" in the insiders file and "ip_adresses" in the
              outsiders file ?

              Thanks for your help.
              --
              Kennedy van Dam Eric
              Unix/Storage Team
              Phone: +32 (0)2 529 3375
              Mail: eric.kennedyvandam@...
            • Noel Jones
              ... Yes, that will work with postfix 2.4 or later. (postfix 2.4 required for !/file/name) ... With a hash file, each IP is listed individually. Just leave
              Message 6 of 11 , Mar 6, 2007
              • 0 Attachment
                At 03:21 AM 3/6/2007, KENNEDY VAN DAM Eric wrote:
                > > >
                >Ok, I see. I need to modify my configuration as well. Still one
                >question:
                >
                >Can I define 2 files in mynetworks like this :
                >
                > mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

                Yes, that will work with postfix 2.4 or later. (postfix 2.4 required
                for !/file/name)

                >Will this work or should I define
                > mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders

                With a hash file, each IP is listed individually. Just leave out the
                IPs you don't want included.

                --
                Noel Jones
              Your message has been successfully submitted and would be delivered to recipients shortly.