Loading ...
Sorry, an error occurred while loading the content.

Please I need help on the restrictions

Expand Messages
  • Osmany Goderich
    I know I sent this message already today but I did not get an answer from any one and I really need some help on this. Below I posted the configurations I have
    Message 1 of 4 , Oct 31, 2007
    • 0 Attachment
      I know I sent this message already today but I did not get an answer from
      any one and I really need some help on this. Below I posted the
      configurations I have in my postfix server. Please tell me what I’m doing
      wrong and how can I fix things.

      Ok. So I’ve tried what you have suggested me but now I find that all mails
      go out even if the user does not authenticate for smtp. It’s not the Dovecot
      that’s not doing it’s job because I can see it in the maillogs when I
      configure my mail client for smtp auth the login for smtp happens. I tried
      to switch places with the permit mynetworks with the permit sasl
      authenticated rules but either way the mail still goes out. Can anybody help
      me on this?

      smtpd_sasl_auth_enable = yes
      smtpd_sasl_type = dovecot
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_path = private/auth
      smtpd_sasl_local_domain =
      broken_sasl_auth_clients = yes
      smtpd_helo_required = yes

      smtpd_restriction_classes = inter, nac_out, nac_in

      inter = permit
      nac_out = check_recipient_access regexp:/etc/postfix/filter_nac,reject
      nac_in = check_sender_access regexp:/etc/postfix/filter_nac,reject

      smtpd_helo_restrictions =
          reject_invalid_hostname
          check_sender_access hash:/etc/postfix/access_out

      smtpd_sender_restrictions =
          check_recipient_access hash:/etc/postfix/access_in

      smtpd_recipient_restrictions =
          permit_sasl_authenticated
          permit_mynetworks
      #    permit_sasl_authenticated
          reject_unauth_destination
          reject_unknown_sender_domain

      smtpd_data_restrictions = reject_unauth_pipelining

      Thank You

      Direccion Provincial Joven Club C.Habana
      Administrador del Nodo Provincial
      telefono: 863-1648
      website: www.ciudad.jovenclub.cu
      correo: administrador@...
    • mouss
      ... It is hard to tell what is your goal exactly, but here are a few notes. - if you send from a client that is in mynetworks, then permit_mynetworks will
      Message 2 of 4 , Nov 1, 2007
      • 0 Attachment
        Osmany Goderich wrote:
        > I know I sent this message already today but I did not get an answer from
        > any one and I really need some help on this. Below I posted the
        > configurations I have in my postfix server. Please tell me what I’m doing
        > wrong and how can I fix things.
        >
        > Ok. So I’ve tried what you have suggested me but now I find that all mails
        > go out even if the user does not authenticate for smtp. It’s not the Dovecot
        > that’s not doing it’s job because I can see it in the maillogs when I
        > configure my mail client for smtp auth the login for smtp happens. I tried
        > to switch places with the permit mynetworks with the permit sasl
        > authenticated rules but either way the mail still goes out. Can anybody help
        > me on this?
        >

        It is hard to tell what is your goal exactly, but here are a few notes.

        - if you send from a client that is in mynetworks, then
        permit_mynetworks will allow mail to be sent anywhere.
        - mail sent to one of your domains will be accepted from anywhere. This
        is how yoy get mail from us.

        if you want to enforce authentication in the case of relay, then set
        mynetworks = 127.0.0.1

        This will still allow people to send mail to _your_ domains without
        authentication. if you want to enforce authentication for your users,
        use smtpd_sender_login_maps with one of the
        reject_*_sender_login_mismatch checks. but this may not be always
        appropriate.

        you may find it better to enable the submission service in master.cf,
        and configure your mailers to use port 587 instead of 25. then setup
        different restrictions for submission.

        if you describe your goal and the problem you are trying to solve, we
        can provide better help.
      • Osmany Goderich
        Thanks. I think I finally got the right configuration. I just wanted to make the smtp authentication to be a must because before this the clients could send
        Message 3 of 4 , Nov 1, 2007
        • 0 Attachment
          Thanks. I think I finally got the right configuration. I just wanted to make the smtp authentication to be a must because before this the clients could send mails whether they authenticate or not, but now they have to otherwise the server returns and 'Relay access denied' error. Now if anybody has seen the configurations I have (I sent it in the last two messages), can anyone clarify the last two rules? The reject_unknow_sender_domain and reject_unauth_destination, what do they do? If those rules are not a match what do they return? Dunno or OK?

          Thanx.

          -----Mensaje original-----
          De: owner-postfix-users@... [mailto:owner-postfix-users@...] En nombre de mouss
          Enviado el: jueves, 01 de noviembre de 2007 3:30
          CC: postfix-users@...
          Asunto: Re: Please I need help on the restrictions

          Osmany Goderich wrote:
          > I know I sent this message already today but I did not get an answer from
          > any one and I really need some help on this. Below I posted the
          > configurations I have in my postfix server. Please tell me what I’m doing
          > wrong and how can I fix things.
          >
          > Ok. So I’ve tried what you have suggested me but now I find that all mails
          > go out even if the user does not authenticate for smtp. It’s not the Dovecot
          > that’s not doing it’s job because I can see it in the maillogs when I
          > configure my mail client for smtp auth the login for smtp happens. I tried
          > to switch places with the permit mynetworks with the permit sasl
          > authenticated rules but either way the mail still goes out. Can anybody help
          > me on this?
          >

          It is hard to tell what is your goal exactly, but here are a few notes.

          - if you send from a client that is in mynetworks, then
          permit_mynetworks will allow mail to be sent anywhere.
          - mail sent to one of your domains will be accepted from anywhere. This
          is how yoy get mail from us.

          if you want to enforce authentication in the case of relay, then set
          mynetworks = 127.0.0.1

          This will still allow people to send mail to _your_ domains without
          authentication. if you want to enforce authentication for your users,
          use smtpd_sender_login_maps with one of the
          reject_*_sender_login_mismatch checks. but this may not be always
          appropriate.

          you may find it better to enable the submission service in master.cf,
          and configure your mailers to use port 587 instead of 25. then setup
          different restrictions for submission.

          if you describe your goal and the problem you are trying to solve, we
          can provide better help.

          __________ NOD32 2631 (20071101) Information __________

          This message was checked by NOD32 antivirus system.
          http://www.eset.com
        • mouss
          ... please do not top post. google if you don t know what this means. (in short, put your replies after the text you reply to). reject_unauth_destination
          Message 4 of 4 , Nov 1, 2007
          • 0 Attachment
            Osmany Goderich wrote:
            > Thanks. I think I finally got the right configuration. I just wanted to make the smtp authentication to be a must because before this the clients could send mails whether they authenticate or not, but now they have to otherwise the server returns and 'Relay access denied' error. Now if anybody has seen the configurations I have (I sent it in the last two messages), can anyone clarify the last two rules? The reject_unknow_sender_domain and reject_unauth_destination, what do they do? If those rules are not a match what do they return? Dunno or OK?
            >


            please do not top post. google if you don't know what this means. (in
            short, put your replies after the text you reply to).

            reject_unauth_destination prevents relay. if you remove it, you become
            an open relay. More precisely, it will reject mail if the recipient
            domain is not one of "yours" (mydestination, virtual_mailbox_domains,
            virtual_alias_domains and relay_domains).

            reject_unknown_sender_domain rejects mail if the sender address is
            "unknown" in DNS (no MX nor A record).
          Your message has been successfully submitted and would be delivered to recipients shortly.