Loading ...
Sorry, an error occurred while loading the content.

RE: smtpd_restriction_classes Question

Expand Messages
  • KENNEDY VAN DAM Eric
    ... Ok... I ll try to be more explicit :) Server1 _ Server2 _ _______ Internal-Mail-server Server3 __ ______ Internal-relay _/ Server4
    Message 1 of 11 , Mar 1, 2007
    • 0 Attachment
      > -----Message d'origine-----
      > De : KENNEDY VAN DAM Eric
      > Envoyé : jeudi 1 mars 2007 11:34
      > À : postfix
      > Objet : RE: smtpd_restriction_classes Question
      >
      >
      > > -----Message d'origine-----
      > > De : Jan P. Kessler [mailto:postfix@...]
      > > Envoyé : jeudi 1 mars 2007 10:01
      > > À : KENNEDY VAN DAM Eric
      > > Cc : postfix
      > > Objet : Re: smtpd_restriction_classes Question
      > >
      > > > I've bought the O'Reilly book about Postfix and I see that
      > > I can create
      > > > my own restriction classes.
      > > > My question is the following: can I use this to choose
      > > which computer
      > > > are allowed to use my relay server to send mail to Internet
      > > and which
      > > > are not ?
      > >
      > > You can BUT you don't need that nuclear rocket to kill some
      > > sparrows ;)
      > > Just set your mynetworks correctly:
      > >
      > > mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
      > > smtpd_recipient_restrictions = permit_mynetworks
      > > reject_unauth_destination
      > >
      > > This allows relaying to 192.168.1/24 but not for .2 and .3.
      > > If the list
      > > grows you can put that information into files (i'd suggest
      > "cidr" type
      > > dbs).
      > >
      > > note: you might want to add some other fancy restrictions.
      >
      > Sure but it is not so simple.
      > My mail relay is already configured ton only allow some
      > servers to relay but... All of them can relay to the main
      > mail server and only some of them can relay to the outside
      > (using the external mail relay).

      Ok... I'll try to be more explicit :)


      Server1 _
      Server2 _\ _______ Internal-Mail-server
      Server3 __\______ Internal-relay _/
      Server4 __/ \_______ External-Relay
      Server5 _/

      All the servers MUST use Internal-relay
      Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server

      Can this works ?
      In main.cf:
      -----------

      Smtpd_restrictions_classes = insiders,outsiders
      Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
      Outsiders = permit_mynetwork
      Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders

      In /etc/postfix/insiders-outsiders:
      -----------------------------------
      Server1 outsiders
      Server2 insiders
      Server3 insiders
      Server4 outsiders
      Server5 insiders

      In /etc/postfix/mail-domains:
      -----------------------------
      @... ACCEPT
      @... ACCEPT
      @... ACCEPT

      If it won't work, what can you suggest ? Maybe something easier ?
      Thanks anyway

      --
      Kennedy van Dam Eric
      Unix/Storage Team
      Phone: +32 (0)2 529 3375
      Mail: eric.kennedyvandam@...
    • mouss
      ... remove reject_unauth_destination from here. ... add reject_unauth_destination here. Hint1: what would postfix do for clients that are not listed in your
      Message 2 of 11 , Mar 1, 2007
      • 0 Attachment
        KENNEDY VAN DAM Eric wrote:
        >
        >
        >> -----Message d'origine-----
        >> De : KENNEDY VAN DAM Eric
        >> Envoyé : jeudi 1 mars 2007 11:34
        >> À : postfix
        >> Objet : RE: smtpd_restriction_classes Question
        >>
        >>
        >>
        >>> -----Message d'origine-----
        >>> De : Jan P. Kessler [mailto:postfix@...]
        >>> Envoyé : jeudi 1 mars 2007 10:01
        >>> À : KENNEDY VAN DAM Eric
        >>> Cc : postfix
        >>> Objet : Re: smtpd_restriction_classes Question
        >>>
        >>>
        >>>> I've bought the O'Reilly book about Postfix and I see that
        >>>>
        >>> I can create
        >>>
        >>>> my own restriction classes.
        >>>> My question is the following: can I use this to choose
        >>>>
        >>> which computer
        >>>
        >>>> are allowed to use my relay server to send mail to Internet
        >>>>
        >>> and which
        >>>
        >>>> are not ?
        >>>>
        >>> You can BUT you don't need that nuclear rocket to kill some
        >>> sparrows ;)
        >>> Just set your mynetworks correctly:
        >>>
        >>> mynetworks = 192.168.1.0/24, !192.168.1.2, !192.168.1.3
        >>> smtpd_recipient_restrictions = permit_mynetworks
        >>> reject_unauth_destination
        >>>
        >>> This allows relaying to 192.168.1/24 but not for .2 and .3.
        >>> If the list
        >>> grows you can put that information into files (i'd suggest
        >>>
        >> "cidr" type
        >>
        >>> dbs).
        >>>
        >>> note: you might want to add some other fancy restrictions.
        >>>
        >> Sure but it is not so simple.
        >> My mail relay is already configured ton only allow some
        >> servers to relay but... All of them can relay to the main
        >> mail server and only some of them can relay to the outside
        >> (using the external mail relay).
        >>
        >
        > Ok... I'll try to be more explicit :)
        >
        >
        > Server1 _
        > Server2 _\ _______ Internal-Mail-server
        > Server3 __\______ Internal-relay _/
        > Server4 __/ \_______ External-Relay
        > Server5 _/
        >
        > All the servers MUST use Internal-relay
        > Let's say Server1 and Server4 are the only servers who are allowed to relay to Internal-Mail-server AND to Internet via External-Relay. The others can only send internal mail to @..., @..., @... via Internal-Mail-server
        >
        > Can this works ?
        > In main.cf:
        > -----------
        >
        > Smtpd_restrictions_classes = insiders,outsiders
        > Insiders = check_recipient_access map:/etc/postfix/mail-domains, reject_unauth_destination
        >
        remove reject_unauth_destination from here.

        > Outsiders = permit_mynetwork
        > Smtpd_recipient_restrictions = check_client_access map:/etc/postfix/insiders-outsiders
        >

        add reject_unauth_destination here.

        Hint1: what would postfix do for clients that are not listed in your
        insiders-outsiders?
        Hint2: postfix doesn't accept (even if only apparently) open
        smtpd_recipient_restrictions

        > In /etc/postfix/insiders-outsiders:
        > -----------------------------------
        > Server1 outsiders
        > Server2 insiders
        > Server3 insiders
        > Server4 outsiders
        > Server5 insiders
        >
        > In /etc/postfix/mail-domains:
        > -----------------------------
        > @... ACCEPT
        > @... ACCEPT
        > @... ACCEPT
        >

        remove the '@'. reread the access man page for the format of entries.
      • KENNEDY VAN DAM Eric
        ... Ok, I see. I need to modify my configuration as well. Still one question: Can I define 2 files in mynetworks like this : mynetworks =
        Message 3 of 11 , Mar 6, 2007
        • 0 Attachment
          > >
          > >
          > > Server1 _
          > > Server2 _\ _______ Internal-Mail-server
          > > Server3 __\______ Internal-relay _/
          > > Server4 __/ \_______ External-Relay
          > > Server5 _/
          >
          > Is "Internal-relay" a postfix system? Then you can still
          > achieve this with
          >
          > mynetworks = !Server2, !Server3, !Server5, server-subnet/24
          >
          > smtpd_recipient_restrictions = permit_mynetworks
          > reject_unauth_destination
          >
          > on that system. Your internal domain must be in relay_domains. Then
          > Servers 2, 3 and 5 will be able to mail internally, Server1
          > and 4 will be
          > able to send to the internet.
          >
          > I would not use sender addresses for that because these can
          > easily be forged.
          >
          > Regards, Jan
          >
          >

          Ok, I see. I need to modify my configuration as well. Still one
          question:

          Can I define 2 files in mynetworks like this :

          mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

          With Ip adresses in the files ?

          Will this work or should I define
          mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders
          With "!ip_addresses" in the insiders file and "ip_adresses" in the
          outsiders file ?

          Thanks for your help.
          --
          Kennedy van Dam Eric
          Unix/Storage Team
          Phone: +32 (0)2 529 3375
          Mail: eric.kennedyvandam@...
        • Noel Jones
          ... Yes, that will work with postfix 2.4 or later. (postfix 2.4 required for !/file/name) ... With a hash file, each IP is listed individually. Just leave
          Message 4 of 11 , Mar 6, 2007
          • 0 Attachment
            At 03:21 AM 3/6/2007, KENNEDY VAN DAM Eric wrote:
            > > >
            >Ok, I see. I need to modify my configuration as well. Still one
            >question:
            >
            >Can I define 2 files in mynetworks like this :
            >
            > mynetworks = !hash:/etc/postfix/insiders, hash:/etc/postfix/outsiders

            Yes, that will work with postfix 2.4 or later. (postfix 2.4 required
            for !/file/name)

            >Will this work or should I define
            > mynetworks = hash:/etc/postfix/insiders , hash:/etc/postfix/outsiders

            With a hash file, each IP is listed individually. Just leave out the
            IPs you don't want included.

            --
            Noel Jones
          Your message has been successfully submitted and would be delivered to recipients shortly.