Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_restriction_classes Question

Expand Messages
  • Eray Aslan
    ... That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered by www.xxx.www.zzz mynetowroks? Check your main.cf if you did a copy and paste. --
    Message 1 of 11 , Mar 1, 2007
    • 0 Attachment
      Chuck Amadi wrote:
      > Just adding my 50 cents that is what we had implemented to aid domains
      > that you don't want relay mail to add "!" mark before the ip address
      > using the mynetworks directive as below.
      >
      > # Contains "!" entries for clients we do not want to relay through here
      > even though they are our clients.
      > # So add "!" before the ip address of your server in question.
      > mynetowroks = www.xxx.www.zzz, !aaa.bbb.ccc.ddd

      That is fine as long as aaa.bbb.ccc.ddd is not in the IP range covered
      by www.xxx.www.zzz

      mynetowroks? Check your main.cf if you did a copy and paste.

      --
      Eray
    • KENNEDY VAN DAM Eric
      ... Ok... I ll try to be more explicit :) Server1 _ Server2 _ _______ Internal-Mail-server Server3 __ ______ Internal-relay _/ Server4
      Message 2 of 11 , Mar 1, 2007
      • 0 Attachment
        > -----Message d'origine-----
        > De : KENNEDY VAN DAM Eric
        > Envoyé : jeudi 1 mars 2007 11:34
        > À : postfix
        > Objet : RE: smtpd_restriction_classes Question
        >
        >
        > > -----Message d'origine-----
        > > De : Jan P. Kessler [mailto:postfix@...]
        > > Envoyé : jeudi 1 mars 2007 10:01
        > > À : KENNEDY VAN DAM Eric
        > > Cc : postfix
        > > Objet : Re: smtpd_restriction_classes Question
        > >
        > > > I've bought the O'Reilly book about Postfix and I see that
        > > I can create
        > > > my own restriction classes.
        > > > My question is the following: can I use this to choose
        > > which computer
        > > > are allowed to use my relay server to send mail to Internet
        > > and which
        > > > are not ?
        > >
        > > You can BUT you don't need that nuclear rocket to kill some
        > > sparrows ;)
        > > Just set your mynetworks correctly:
        > >
        > > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
        > > smtpd_recipient_restrictions = permit_mynetworks
        > > reject_unauth_destination
        > >
        > > This allows relaying to 192.168.1/24 but not for .2 and .3.
        > > If the list
        > > grows you can put that information into files (i'd suggest
        > "cidr" type
        > > dbs).
        > >
        > > note: you might want to add some other fancy restrictions.
        >
        > Sure but it is not so simple.
        > My mail relay is already configured ton only allow some
        > servers to relay but... All of them can relay to the main
        > mail server and only some of them can relay to the outside
        > (using the external mail relay).

        Ok... I'll try to be more explicit :)


        Server1 _
        Server2 _\ _______ Internal-Mail-server
        Server3 __\______ Internal-relay _/
        Server4 __/ \_______ External-Relay
        Server5 _/

        All the servers MUST use Internal-relay
        Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server

        Can this works ?
        In main.cf:
        -----------

        Smtpd_restrictions_classes = insiders,outsiders
        Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
        Outsiders = permit_mynetwork
        Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders

        In /etc/postfix/insiders-outsiders:
        -----------------------------------
        Server1 outsiders
        Server2 insiders
        Server3 insiders
        Server4 outsiders
        Server5 insiders

        In /etc/postfix/mail-domains:
        -----------------------------
        @... ACCEPT
        @... ACCEPT
        @... ACCEPT

        If it won't work, what can you suggest ? Maybe something easier ?
        Thanks anyway

        --
        Kennedy van Dam Eric
        Unix/Storage Team
        Phone: +32 (0)2 529 3375
        Mail: eric.kennedyvandam@...
      • mouss
        ... remove reject_unauth_destination from here. ... add reject_unauth_destination here. Hint1: what would postfix do for clients that are not listed in your
        Message 3 of 11 , Mar 1, 2007
        • 0 Attachment
          KENNEDY VAN DAM Eric wrote:
          >
          >
          >> -----Message d'origine-----
          >> De : KENNEDY VAN DAM Eric
          >> Envoyé : jeudi 1 mars 2007 11:34
          >> À : postfix
          >> Objet : RE: smtpd_restriction_classes Question
          >>
          >>
          >>
          >>> -----Message d'origine-----
          >>> De : Jan P. Kessler [mailto:postfix@...]
          >>> Envoyé : jeudi 1 mars 2007 10:01
          >>> À : KENNEDY VAN DAM Eric
          >>> Cc : postfix
          >>> Objet : Re: smtpd_restriction_classes Question
          >>>
          >>>
          >>>> I've bought the O'Reilly book about Postfix and I see that
          >>>>
          >>> I can create
          >>>
          >>>> my own restriction classes.
          >>>> My question is the following: can I use this to choose
          >>>>
          >>> which computer
          >>>
          >>>> are allowed to use my relay server to send mail to Internet
          >>>>
          >>> and which
          >>>
          >>>> are not ?
          >>>>
          >>> You can BUT you don't need that nuclear rocket to kill some
          >>> sparrows ;)
          >>> Just set your mynetworks correctly:
          >>>
          >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
          >>> smtpd_recipient_restrictions = permit_mynetworks
          >>> reject_unauth_destination
          >>>
          >>> This allows relaying to 192.168.1/24 but not for .2 and .3.
          >>> If the list
          >>> grows you can put that information into files (i'd suggest
          >>>
          >> "cidr" type
          >>
          >>> dbs).
          >>>
          >>> note: you might want to add some other fancy restrictions.
          >>>
          >> Sure but it is not so simple.
          >> My mail relay is already configured ton only allow some
          >> servers to relay but... All of them can relay to the main
          >> mail server and only some of them can relay to the outside
          >> (using the external mail relay).
          >>
          >
          > Ok... I'll try to be more explicit :)
          >
          >
          > Server1 _
          > Server2 _\ _______ Internal-Mail-server
          > Server3 __\______ Internal-relay _/
          > Server4 __/ \_______ External-Relay
          > Server5 _/
          >
          > All the servers MUST use Internal-relay
          > Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server
          >
          > Can this works ?
          > In main.cf:
          > -----------
          >
          > Smtpd_restrictions_classes = insiders,outsiders
          > Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
          >
          remove reject_unauth_destination from here.

          > Outsiders = permit_mynetwork
          > Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders
          >

          add reject_unauth_destination here.

          Hint1: what would postfix do for clients that are not listed in your
          insiders-outsiders?
          Hint2: postfix doesn't accept (even if only apparently) open
          smtpd_recipient_restrictions

          > In /etc/postfix/insiders-outsiders:
          > -----------------------------------
          > Server1 outsiders
          > Server2 insiders
          > Server3 insiders
          > Server4 outsiders
          > Server5 insiders
          >
          > In /etc/postfix/mail-domains:
          > -----------------------------
          > @... ACCEPT
          > @... ACCEPT
          > @... ACCEPT
          >

          remove the '@'. reread the access man page for the format of entries.
        • KENNEDY VAN DAM Eric
          ... Ok, I see. I need to modify my configuration as well. Still one question: Can I define 2 files in mynetworks like this : mynetworks =
          Message 4 of 11 , Mar 6, 2007
          • 0 Attachment
            > >
            > >
            > > Server1 _
            > > Server2 _\ _______ Internal-Mail-server
            > > Server3 __\______ Internal-relay _/
            > > Server4 __/ \_______ External-Relay
            > > Server5 _/
            >
            > Is "Internal-relay" a postfix system? Then you can still
            > achieve this with
            >
            > mynetworks = !Server2, !Server3, !Server5, server-subnet/24
            >
            > smtpd_recipient_restrictions = permit_mynetworks
            > reject_unauth_destination
            >
            > on that system. Your internal domain must be in relay_domains. Then
            > Servers 2, 3 and 5 will be able to mail internally, Server1
            > and 4 will be
            > able to send to the internet.
            >
            > I would not use sender addresses for that because these can
            > easily be forged.
            >
            > Regards, Jan
            >
            >

            Ok, I see. I need to modify my configuration as well. Still one
            question:

            Can I define 2 files in mynetworks like this :

            mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

            With Ip adresses in the files ?

            Will this work or should I define
            mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders
            With "!ip_addresses" in the insiders file and "ip_adresses" in the
            outsiders file ?

            Thanks for your help.
            --
            Kennedy van Dam Eric
            Unix/Storage Team
            Phone: +32 (0)2 529 3375
            Mail: eric.kennedyvandam@...
          • Noel Jones
            ... Yes, that will work with postfix 2.4 or later. (postfix 2.4 required for !/file/name) ... With a hash file, each IP is listed individually. Just leave
            Message 5 of 11 , Mar 6, 2007
            • 0 Attachment
              At 03:21 AM 3/6/2007, KENNEDY VAN DAM Eric wrote:
              > > >
              >Ok, I see. I need to modify my configuration as well. Still one
              >question:
              >
              >Can I define 2 files in mynetworks like this :
              >
              > mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

              Yes, that will work with postfix 2.4 or later. (postfix 2.4 required
              for !/file/name)

              >Will this work or should I define
              > mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders

              With a hash file, each IP is listed individually. Just leave out the
              IPs you don't want included.

              --
              Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.