Loading ...
Sorry, an error occurred while loading the content.
 

LDAP smtpd_recipient_restrictions

Expand Messages
  • James Wilson
    Hi All, I have basic mailing lists configured via postfix and LDAP. I have restrictions in place for some lists to allow / disallow external users from
    Message 1 of 7 , Sep 23, 2007
      Hi All,

      I have basic mailing lists configured via postfix and LDAP. I have
      restrictions in place for some lists to allow / disallow external
      users from mailing the list, which works fine. Recently a request
      from the powers that be require this to be locked down further.
      Essentially, they want to stop members of a different domain from
      emailing a list; I know this is easily spoofed, but hey. For
      example, year1@... can email year2@..., but
      year1@... cannot. I've followed:

      http://www.postfix.org/RESTRICTION_CLASS_README.html

      And have successfully implemented with flat files for a single list.
      When transferring this to LDAP lookups, I consistently get "554 5.7.1
      <year1@...>: Recipient address rejected: Access denied;"
      from any domain, including the domain to which the list belongs.

      The following are the smtpd_recipient_restrictions and
      smtpd_restriction_classes along with the LDAP lookups.

      main.cf:

      smtpd_recipient_restrictions = check_recipient_access
      proxy:ldap:ldapprotected_destinations, permit_mynetworks,
      reject_unauth_destination
      smtpd_restriction_classes = insiders_only
      insiders_only = check_sender_access proxy:ldap:ldaplist_domain, reject

      ldapprotected_destinations_query_filter = (&(listOwner=%s)
      (accessibility=school)(accountStatus=active))
      ldapprotected_destinations_result_attribute = listOwner
      ldapprotected_destinations_result_filter = insiders_only
      ldapprotected_destinations_bind = yes
      ldapprotected_destinations_timeout = 50

      ldaplist_domain_query_filter = (&(listOwner=%s)(accessibility=school)
      (accountStatus=active))
      ldaplist_domain_result_attribute = relayDomain
      ldaplist_domain_result_filter = OK
      ldaplist_domain_bind = yes
      ldaplist_domain_timeout = 50

      The LDAP entry is as follows:

      dn: cn=Year 1,ou=example,o=list,dc=sch,dc=uk
      cn: Year 1
      fqGroupName: Year 1
      leaverGroup: no
      edportDisplay: no
      objectClass: groupOfNames
      objectClass: top
      listOwner: year1@...
      type: Reserved Group
      description: Year 1
      accountStatus: active
      member: cn=james wilson.test,ou=example,o=schools,dc=sch,dc=uk
      accessibility: school
      relayDomain: example.sch.uk

      Can anyone assist?

      I have no control over why this isn't done via a purpose built
      mailing lists manager, so please don't berate me.

      Thanks,

      James



      ---
      http://www.silent-system.net/gallery
    • Wietse Venema
      ... I suggest following the suggestions in http://www.postfix.org/DATABASE_README.html#preparing for testing tables with the postmap -q command. Simulate by
      Message 2 of 7 , Sep 23, 2007
        James Wilson:
        > And have successfully implemented with flat files for a single list.
        > When transferring this to LDAP lookups, I consistently get "554 5.7.1
        > <year1@...>: Recipient address rejected: Access denied;"
        > from any domain, including the domain to which the list belongs.

        I suggest following the suggestions in

        http://www.postfix.org/DATABASE_README.html#preparing

        for testing tables with the "postmap -q" command.

        Simulate by hand all the lookups that Postfix makes, as described
        in access(5):

        user@...
        example.com
        com
        user@

        The "postmap -q" command exits with non-zero status when it did not
        find the lookup key.

        Wietse
      • James Wilson
        ... Thanks - I now have this working. Turning on +v to smtpd in master.cf helped no end! As suspected, my query was not correctly matching the input key. I m
        Message 3 of 7 , Sep 27, 2007
          On 24 Sep 2007, at 00:58, Wietse Venema wrote:

          > James Wilson:
          >> And have successfully implemented with flat files for a single list.
          >> When transferring this to LDAP lookups, I consistently get "554 5.7.1
          >> <year1@...>: Recipient address rejected: Access denied;"
          >> from any domain, including the domain to which the list belongs.
          >
          > I suggest following the suggestions in
          >
          > http://www.postfix.org/DATABASE_README.html#preparing
          >
          > for testing tables with the "postmap -q" command.
          >
          > Simulate by hand all the lookups that Postfix makes, as described
          > in access(5):
          >
          > user@...
          > example.com
          > com
          > user@
          >
          > The "postmap -q" command exits with non-zero status when it did not
          > find the lookup key.

          Thanks - I now have this working. Turning on +v to smtpd in
          master.cf helped no end! As suspected, my query was not correctly
          matching the input key.

          I'm now faced with one last issue... Say I have two domains for
          which Postfix is authoritative and accepts mail; both of which do not
          accept mail from the internet and are on internal relays.

          domain1.sch.uk
          domain2.sch.uk

          Is it possible using built in policy restrictions to only allow
          senders from domain1.sch.uk to email users from domain1.sch.uk, but
          deny from domain2.sch.uk

          Using the smtpd_recipient_restrictions and smtpd_restriction_classes
          to check the sender address or recipient address doesn't give the
          granularity I require.

          As both domains exist in the access map, check_sender_access and
          check_recipient_access will always match.

          /etc/postfix/access:

          domain1.sch.uk OK
          domain2.sch.uk OK

          etc


          Cheers,

          James
        • James Wilson
          ... Anyone able to assist? Cheers, James
          Message 4 of 7 , Sep 28, 2007
            On 27 Sep 2007, at 11:46, James Wilson wrote:
            >
            > Thanks - I now have this working. Turning on +v to smtpd in
            > master.cf helped no end! As suspected, my query was not correctly
            > matching the input key.
            >
            > I'm now faced with one last issue... Say I have two domains for
            > which Postfix is authoritative and accepts mail; both of which do
            > not accept mail from the internet and are on internal relays.
            >
            > domain1.sch.uk
            > domain2.sch.uk
            >
            > Is it possible using built in policy restrictions to only allow
            > senders from domain1.sch.uk to email users from domain1.sch.uk, but
            > deny from domain2.sch.uk
            >
            > Using the smtpd_recipient_restrictions and
            > smtpd_restriction_classes to check the sender address or recipient
            > address doesn't give the granularity I require.
            >
            > As both domains exist in the access map, check_sender_access and
            > check_recipient_access will always match.
            >
            > /etc/postfix/access:
            >
            > domain1.sch.uk OK
            > domain2.sch.uk OK
            >
            > etc


            Anyone able to assist?

            Cheers,

            James
          • mouss
            ... use 2 maps. nothing requires that you check senders and recipients using a single map.
            Message 5 of 7 , Sep 30, 2007
              James Wilson wrote:
              > On 27 Sep 2007, at 11:46, James Wilson wrote:
              >>
              >> Thanks - I now have this working. Turning on +v to smtpd in master.cf
              >> helped no end! As suspected, my query was not correctly matching the
              >> input key.
              >>
              >> I'm now faced with one last issue... Say I have two domains for which
              >> Postfix is authoritative and accepts mail; both of which do not accept
              >> mail from the internet and are on internal relays.
              >>
              >> domain1.sch.uk
              >> domain2.sch.uk
              >>
              >> Is it possible using built in policy restrictions to only allow
              >> senders from domain1.sch.uk to email users from domain1.sch.uk, but
              >> deny from domain2.sch.uk
              >>
              >> Using the smtpd_recipient_restrictions and smtpd_restriction_classes
              >> to check the sender address or recipient address doesn't give the
              >> granularity I require.
              >>
              >> As both domains exist in the access map, check_sender_access and
              >> check_recipient_access will always match.
              >>
              >> /etc/postfix/access:
              >>
              >> domain1.sch.uk OK
              >> domain2.sch.uk OK
              >>
              >> etc
              >
              >
              > Anyone able to assist?


              use 2 maps. nothing requires that you check senders and recipients using
              a single map.
            • James Wilson
              ... Hi Mouss, Could you please elaborate? Even with multiple maps, won t all internal domains be trusted? Cheers, James
              Message 6 of 7 , Oct 1, 2007
                On 1 Oct 2007, at 05:51, mouss wrote:

                > use 2 maps. nothing requires that you check senders and recipients
                > using
                > a single map.

                Hi Mouss,

                Could you please elaborate? Even with multiple maps, won't all
                internal domains be trusted?

                Cheers,

                James
              • mouss
                ... you need is not completely specified (I don t know who can do what exactly), but hee is the idea. smtpd_restriction_classes = ... only_domain2_senders
                Message 7 of 7 , Oct 1, 2007
                  James Wilson wrote:
                  > On 1 Oct 2007, at 05:51, mouss wrote:
                  >
                  >> use 2 maps. nothing requires that you check senders and recipients using
                  >> a single map.
                  >
                  > Hi Mouss,
                  >
                  > Could you please elaborate? Even with multiple maps, won't all internal
                  > domains be trusted?
                  >

                  you need is not completely specified (I don't know who can do what
                  exactly), but hee is the idea.

                  smtpd_restriction_classes =
                  ...
                  only_domain2_senders

                  smtpd_recipient_restrictions =
                  ...
                  check_recipient hash:/path/recipient_access

                  only_domain2_senders =
                  check_sender_access hash:/etc/path/domain2_allowed_senders
                  reject

                  == recipient_access:
                  domain2.example only_domain2_senders


                  == domain2_allowed_senders:
                  domain2.example OK


                  With this, only senders in domain2.example can send to addresses in
                  domain2.example.


                  of course, users can forge their sender address to get around this. if
                  this is a concern, you'll need authentication and
                  reject_sender_login_mismatch.
                Your message has been successfully submitted and would be delivered to recipients shortly.