Loading ...
Sorry, an error occurred while loading the content.

Policy filter applied from command line

Expand Messages
  • Tony Holmes
    My google-fu has failed me. I have a FreeBSD 7 system for hosting php for various users on it. I wish to allow the php mail() function to work but to aslo
    Message 1 of 13 , Aug 18 10:29 AM
    • 0 Attachment
      My google-fu has failed me.

      I have a FreeBSD 7 system for hosting php for various users on it.
      I wish to allow the php mail() function to work but to aslo prevent
      spam and enforce an outgoing quota. I have replaced the default sendmail
      command and am including my own wrapper to ensure the from address is
      being set correctly so that the policy server (postfix-policyd-sf).

      The wrapper I wrote uses the sendmail compatibility with -t so that it
      pulls the from/to from the email body itself.

      The pertinent line in my main.cf is:

      smtpd_sender_restrictions =
      check_sender_access hash:/usr/local/etc/postfix/cwahi_net-allowed
      check_policy_service inet:216.18.117.19:10031
      reject

      /usr/local/etc/postfix/cwahi_net-allowed:
      root PERMIT

      So basically, I don't trust anyone on the system, but I want root to be
      able to send (it goes to a relayhost) so that I get my nightly cron jobs,
      etc. Everyone else can only send if the policy service allows it.

      However, the policy service is never checked.

      I set mynetwork= since I don't even want to trust myself, but no go.

      I have to be missing something obvious, but I'm not sure what.

      Pointers?


      --
      Tony Holmes

      Ph: (416) 993-1219

      Founder and Senior Systems Architect
      Crosswinds Internet Communications Inc.
    • Wietse Venema
      ... As documented in the access(5) manual page, this permits mail from the NETWORK that claims to have a sender of root in your domain (regardless of whether
      Message 2 of 13 , Aug 18 10:37 AM
      • 0 Attachment
        Tony Holmes:
        > My google-fu has failed me.
        >
        > I have a FreeBSD 7 system for hosting php for various users on it.
        > I wish to allow the php mail() function to work but to aslo prevent
        > spam and enforce an outgoing quota. I have replaced the default sendmail
        > command and am including my own wrapper to ensure the from address is
        > being set correctly so that the policy server (postfix-policyd-sf).
        >
        > The wrapper I wrote uses the sendmail compatibility with -t so that it
        > pulls the from/to from the email body itself.
        >
        > The pertinent line in my main.cf is:
        >
        > smtpd_sender_restrictions =
        > check_sender_access hash:/usr/local/etc/postfix/cwahi_net-allowed
        > check_policy_service inet:216.18.117.19:10031
        > reject
        >
        > /usr/local/etc/postfix/cwahi_net-allowed:
        > root PERMIT

        As documented in the access(5) manual page, this permits mail from
        the NETWORK that claims to have a sender of root in your domain
        (regardless of whether or not it was sent by your super-user).

        To restrict mail via the sendmail command line, use the
        authorized_submit_users configuration parameter. It takes a list
        of UNIX system account names.

        Wietse
      • Brian Evans - Postfix List
        ... Note: sendmail client is received via the pickup service *not* smptd. You need PHP to send via SMTP. There are many ways to do this and many scripts
        Message 3 of 13 , Aug 18 10:38 AM
        • 0 Attachment
          Tony Holmes wrote:
          > My google-fu has failed me.
          >
          > I have a FreeBSD 7 system for hosting php for various users on it.
          > I wish to allow the php mail() function to work but to aslo prevent
          > spam and enforce an outgoing quota. I have replaced the default sendmail
          > command and am including my own wrapper to ensure the from address is
          > being set correctly so that the policy server (postfix-policyd-sf).
          >
          > The wrapper I wrote uses the sendmail compatibility with -t so that it
          > pulls the from/to from the email body itself.
          >
          > The pertinent line in my main.cf is:
          >
          > smtpd_sender_restrictions =
          > check_sender_access hash:/usr/local/etc/postfix/cwahi_net-allowed
          > check_policy_service inet:216.18.117.19:10031
          > reject
          >
          >

          Note: sendmail client is received via the pickup service *not* smptd.

          You need PHP to send via SMTP. There are many ways to do this and many
          scripts available to integrate.
          My favorite is htmlMimeMail (google it for details). There is also the
          PEAR version as well.

          Brian
          > /usr/local/etc/postfix/cwahi_net-allowed:
          > root PERMIT
          >
          > So basically, I don't trust anyone on the system, but I want root to be
          > able to send (it goes to a relayhost) so that I get my nightly cron jobs,
          > etc. Everyone else can only send if the policy service allows it.
          >
          > However, the policy service is never checked.
          >
          > I set mynetwork= since I don't even want to trust myself, but no go.
          >
          > I have to be missing something obvious, but I'm not sure what.
          >
          > Pointers?
          >
          >
          >
        • Tony Holmes
          ... That looks good for other work (from my quick perusal), but in this case I need mail() to function as per normal and I do the magic behind the scenes.
          Message 4 of 13 , Aug 18 10:47 AM
          • 0 Attachment
            > Note: sendmail client is received via the pickup service *not* smptd.
            >
            > You need PHP to send via SMTP. There are many ways to do this and many
            > scripts available to integrate.
            > My favorite is htmlMimeMail (google it for details). There is also the
            > PEAR version as well.

            That looks good for other work (from my quick perusal), but in this case I
            need mail() to function as per normal and I do the magic behind the scenes.

            Thank you for the pointers - I have more reading to do (I don't mind fingers
            to the manuals I need to RTFM :)


            >
            > Brian
            > >/usr/local/etc/postfix/cwahi_net-allowed:
            > >root PERMIT
            > >
            > >So basically, I don't trust anyone on the system, but I want root to be
            > >able to send (it goes to a relayhost) so that I get my nightly cron jobs,
            > >etc. Everyone else can only send if the policy service allows it.
            > >
            > >However, the policy service is never checked.
            > >
            > >I set mynetwork= since I don't even want to trust myself, but no go.
            > >
            > >I have to be missing something obvious, but I'm not sure what.
            > >
            > >Pointers?
            > >
            > >
            > >

            --
            Tony Holmes

            Ph: (416) 993-1219

            Founder and Senior Systems Architect
            Crosswinds Internet Communications Inc.
          • Tony Holmes
            ... This I know - firewalling prevents incoming smtp connections from outside and even itself. ... I am looking to allow/check policy/reject. This is where I
            Message 5 of 13 , Aug 18 10:59 AM
            • 0 Attachment
              > > smtpd_sender_restrictions =
              > > check_sender_access hash:/usr/local/etc/postfix/cwahi_net-allowed
              > > check_policy_service inet:216.18.117.19:10031
              > > reject
              > >
              > > /usr/local/etc/postfix/cwahi_net-allowed:
              > > root PERMIT
              >
              > As documented in the access(5) manual page, this permits mail from
              > the NETWORK that claims to have a sender of root in your domain
              > (regardless of whether or not it was sent by your super-user).

              This I know - firewalling prevents incoming smtp connections from
              outside and even itself.

              > To restrict mail via the sendmail command line, use the
              > authorized_submit_users configuration parameter. It takes a list
              > of UNIX system account names.

              I am looking to allow/check policy/reject. This is where I am tripping
              up - essentially want the same power as the smtpd restrictions, but for
              the command line. Ideally without having to deploy another box :)

              --
              Tony Holmes

              Ph: (416) 993-1219

              Founder and Senior Systems Architect
              Crosswinds Internet Communications Inc.
            • mouss
              ... configure your wrapper to use smtp to a specific port where you can use smtpd restrictions. you can use mini_sendmail or other.
              Message 6 of 13 , Aug 18 11:34 AM
              • 0 Attachment
                Tony Holmes wrote:
                >[snip]
                >
                > I am looking to allow/check policy/reject. This is where I am tripping
                > up - essentially want the same power as the smtpd restrictions, but for
                > the command line. Ideally without having to deploy another box :)
                >

                configure your wrapper to use smtp to a specific port where you can use
                smtpd restrictions. you can use mini_sendmail or other.
              • Tony Holmes
                ... That was where I am heading and it doesn t appear to be a major issue to implement. I can secure php to not be allowed to talk to the box and thus the perl
                Message 7 of 13 , Aug 18 11:46 AM
                • 0 Attachment
                  > >I am looking to allow/check policy/reject. This is where I am tripping
                  > >up - essentially want the same power as the smtpd restrictions, but for
                  > >the command line. Ideally without having to deploy another box :)
                  > >
                  >
                  > configure your wrapper to use smtp to a specific port where you can use
                  > smtpd restrictions. you can use mini_sendmail or other.

                  That was where I am heading and it doesn't appear to be a major issue
                  to implement. I can secure php to not be allowed to talk to the box and
                  thus the perl script will be free to do so (relaxing the firewall).

                  --
                  Tony Holmes

                  Ph: (416) 993-1219

                  Founder and Senior Systems Architect
                  Crosswinds Internet Communications Inc.
                • mouss
                  ... you don t need to block php if you implement strict checks in the smtpd that gets the connection. avoid reusing the port 25 smtpd. setup a specific smtpd
                  Message 8 of 13 , Aug 18 11:50 AM
                  • 0 Attachment
                    Tony Holmes wrote:
                    >>> I am looking to allow/check policy/reject. This is where I am tripping
                    >>> up - essentially want the same power as the smtpd restrictions, but for
                    >>> the command line. Ideally without having to deploy another box :)
                    >>>
                    >> configure your wrapper to use smtp to a specific port where you can use
                    >> smtpd restrictions. you can use mini_sendmail or other.
                    >
                    > That was where I am heading and it doesn't appear to be a major issue
                    > to implement. I can secure php to not be allowed to talk to the box and
                    > thus the perl script will be free to do so (relaxing the firewall).
                    >

                    you don't need to block php if you implement "strict" checks in the
                    smtpd that gets the connection. avoid reusing the port 25 smtpd. setup a
                    specific smtpd on a specific port instead. This way, you can play with
                    whatever rules you need without disturbing other smtp traffic. and you
                    can stop/start it whenever you want... etc.
                  • Wietse Venema
                    ... To force sendmail command-line submissions through the SMTP server, use this: /etc/postfix/master.cf pickup fifo n - n 60 1
                    Message 9 of 13 , Aug 18 11:53 AM
                    • 0 Attachment
                      Tony Holmes:
                      > > > smtpd_sender_restrictions =
                      > > > check_sender_access hash:/usr/local/etc/postfix/cwahi_net-allowed
                      > > > check_policy_service inet:216.18.117.19:10031
                      > > > reject
                      > > >
                      > > > /usr/local/etc/postfix/cwahi_net-allowed:
                      > > > root PERMIT
                      > >
                      > > As documented in the access(5) manual page, this permits mail from
                      > > the NETWORK that claims to have a sender of root in your domain
                      > > (regardless of whether or not it was sent by your super-user).
                      >
                      > This I know - firewalling prevents incoming smtp connections from
                      > outside and even itself.
                      >
                      > > To restrict mail via the sendmail command line, use the
                      > > authorized_submit_users configuration parameter. It takes a list
                      > > of UNIX system account names.
                      >
                      > I am looking to allow/check policy/reject. This is where I am tripping
                      > up - essentially want the same power as the smtpd restrictions, but for
                      > the command line. Ideally without having to deploy another box :)

                      To force sendmail command-line submissions through the SMTP server,
                      use this:

                      /etc/postfix/master.cf
                      pickup fifo n - n 60 1 pickup
                      -o content_filter=smtp:[127.0.0.1]:10025
                      [127.0.0.1]:10025
                      inet n - n - - smtpd

                      and remove 127.0.0.1 from mynetworks. Of course using some other
                      interface than 127.0.0.1 will work too, but you'd have to firewall
                      it.

                      Wietse
                    • Wietse Venema
                      ... Removing the 127.0.0.1 (or whatever you use) from mynetworks of course breaks mail relay access control, so you may have to keep it. Wietse
                      Message 10 of 13 , Aug 18 12:00 PM
                      • 0 Attachment
                        Wietse Venema:
                        > Tony Holmes:
                        > > > > smtpd_sender_restrictions =
                        > > > > check_sender_access hash:/usr/local/etc/postfix/cwahi_net-allowed
                        > > > > check_policy_service inet:216.18.117.19:10031
                        > > > > reject
                        > > > >
                        > > > > /usr/local/etc/postfix/cwahi_net-allowed:
                        > > > > root PERMIT
                        > > >
                        > > > As documented in the access(5) manual page, this permits mail from
                        > > > the NETWORK that claims to have a sender of root in your domain
                        > > > (regardless of whether or not it was sent by your super-user).
                        > >
                        > > This I know - firewalling prevents incoming smtp connections from
                        > > outside and even itself.
                        > >
                        > > > To restrict mail via the sendmail command line, use the
                        > > > authorized_submit_users configuration parameter. It takes a list
                        > > > of UNIX system account names.
                        > >
                        > > I am looking to allow/check policy/reject. This is where I am tripping
                        > > up - essentially want the same power as the smtpd restrictions, but for
                        > > the command line. Ideally without having to deploy another box :)
                        >
                        > To force sendmail command-line submissions through the SMTP server,
                        > use this:
                        >
                        > /etc/postfix/master.cf
                        > pickup fifo n - n 60 1 pickup
                        > -o content_filter=smtp:[127.0.0.1]:10025
                        > [127.0.0.1]:10025
                        > inet n - n - - smtpd
                        >
                        > and remove 127.0.0.1 from mynetworks. Of course using some other
                        > interface than 127.0.0.1 will work too, but you'd have to firewall
                        > it.

                        Removing the 127.0.0.1 (or whatever you use) from mynetworks of course
                        breaks mail relay access control, so you may have to keep it.

                        Wietse
                      • Tony Holmes
                        ... Excellent, and easy! Suggestions from you both. I love the power and flexbilitt of postfix. ... Actually I removed it and local submissions (which is all
                        Message 11 of 13 , Aug 18 1:57 PM
                        • 0 Attachment
                          > > To force sendmail command-line submissions through the SMTP server,
                          > > use this:
                          > >
                          > > /etc/postfix/master.cf
                          > > pickup fifo n - n 60 1 pickup
                          > > -o content_filter=smtp:[127.0.0.1]:10025
                          > > [127.0.0.1]:10025
                          > > inet n - n - - smtpd
                          > >
                          > > and remove 127.0.0.1 from mynetworks. Of course using some other
                          > > interface than 127.0.0.1 will work too, but you'd have to firewall
                          > > it.

                          Excellent, and easy! Suggestions from you both. I love the power and
                          flexbilitt of postfix.

                          > Removing the 127.0.0.1 (or whatever you use) from mynetworks of course
                          > breaks mail relay access control, so you may have to keep it.

                          Actually I removed it and local submissions (which is all this box should
                          allow) still worked. Hrm... :)

                          --
                          Tony Holmes

                          Ph: (416) 993-1219

                          Founder and Senior Systems Architect
                          Crosswinds Internet Communications Inc.
                        • Wietse Venema
                          ... Of course it comes at a small performance price. ... Postfix will accept mail, but the [127.0.0.1]:10025 SMTP server would reject mail for remote
                          Message 12 of 13 , Aug 18 2:05 PM
                          • 0 Attachment
                            Tony Holmes:
                            > > > To force sendmail command-line submissions through the SMTP server,
                            > > > use this:
                            > > >
                            > > > /etc/postfix/master.cf
                            > > > pickup fifo n - n 60 1 pickup
                            > > > -o content_filter=smtp:[127.0.0.1]:10025
                            > > > [127.0.0.1]:10025
                            > > > inet n - n - - smtpd
                            > > >
                            > > > and remove 127.0.0.1 from mynetworks. Of course using some other
                            > > > interface than 127.0.0.1 will work too, but you'd have to firewall
                            > > > it.
                            >
                            > Excellent, and easy! Suggestions from you both. I love the power and
                            > flexbilitt of postfix.

                            Of course it comes at a small performance price.

                            > > Removing the 127.0.0.1 (or whatever you use) from mynetworks of course
                            > > breaks mail relay access control, so you may have to keep it.
                            >
                            > Actually I removed it and local submissions (which is all this box should
                            > allow) still worked. Hrm... :)

                            Postfix will accept mail, but the [127.0.0.1]:10025 SMTP server
                            would reject mail for remote recipients.

                            Wietse
                          • Tony Holmes
                            ... It worked perfectly. By putting the quota check before the mynetworks check it does exactly what I want. -- Tony Holmes Ph: (416) 993-1219 Founder and
                            Message 13 of 13 , Aug 19 9:41 AM
                            • 0 Attachment
                              > > > > pickup fifo n - n 60 1 pickup
                              > > > > -o content_filter=smtp:[127.0.0.1]:10025
                              > > > > [127.0.0.1]:10025
                              > > > > inet n - n - - smtpd
                              > > > >
                              > > > > and remove 127.0.0.1 from mynetworks. Of course using some other
                              > > > > interface than 127.0.0.1 will work too, but you'd have to firewall
                              > > > > it.
                              > >
                              > > Excellent, and easy! Suggestions from you both. I love the power and
                              > > flexbilitt of postfix.
                              >
                              > Of course it comes at a small performance price.

                              It worked perfectly. By putting the quota check before the mynetworks check
                              it does exactly what I want.

                              --
                              Tony Holmes

                              Ph: (416) 993-1219

                              Founder and Senior Systems Architect
                              Crosswinds Internet Communications Inc.
                            Your message has been successfully submitted and would be delivered to recipients shortly.