Loading ...
Sorry, an error occurred while loading the content.
 

Restrict external hosts

Expand Messages
  • Vernon A. Fort
    I have a setup which we use an external mail filtering service and need to limit/restrict external client access. Meaning the MX for the domain points to the
    Message 1 of 6 , Mar 2, 2009
      I have a setup which we use an external mail filtering service and need
      to limit/restrict external client access. Meaning the MX for the domain
      points to the filtering service and they relay checked email. I need to
      limit access to just these network blocks but also allow sasl
      authenticated as well as the internal network.

      I also do not want to blindly trust this service so i would like to
      check the IP address as well as ensuring the recipient is for my domain.

      can someone point me to an example or man page. I cannot seem to find
      anything related to limiting inbound smtp clients/servers.

      Vernon
    • Noel Jones
      ... Minimal config: # main.cf # do not include filter service IPs in mynetworks mynetworks = 127.0.0.0/8 ... smtpd_recipient_restrictions =
      Message 2 of 6 , Mar 2, 2009
        Vernon A. Fort wrote:
        > I have a setup which we use an external mail filtering service and need
        > to limit/restrict external client access. Meaning the MX for the domain
        > points to the filtering service and they relay checked email. I need to
        > limit access to just these network blocks but also allow sasl
        > authenticated as well as the internal network.
        >
        > I also do not want to blindly trust this service so i would like to
        > check the IP address as well as ensuring the recipient is for my domain.
        >
        > can someone point me to an example or man page. I cannot seem to find
        > anything related to limiting inbound smtp clients/servers.
        >
        > Vernon

        Minimal config:

        # main.cf

        # do not include filter service IPs in mynetworks
        mynetworks = 127.0.0.0/8 ...
        smtpd_recipient_restrictions =
        permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination
        check_client_access cidr:/etc/postfix/filter_service
        reject

        # filter_service
        192.1.0.0/24 OK
        ... other cidr ranges filter service uses ...


        -- Noel Jones
      • Vernon A. Fort
        ... Hey Noel, What i have now under the smtpd_*_restrictions: smtpd_sender_restrictions = smtpd_client_restrictions = smtpd_etrn_restrictions = reject
        Message 3 of 6 , Mar 2, 2009
          Noel Jones wrote:
          > Vernon A. Fort wrote:
          >> I have a setup which we use an external mail filtering service and
          >> need to limit/restrict external client access. Meaning the MX for
          >> the domain points to the filtering service and they relay checked
          >> email. I need to limit access to just these network blocks but also
          >> allow sasl authenticated as well as the internal network.
          >>
          >> I also do not want to blindly trust this service so i would like to
          >> check the IP address as well as ensuring the recipient is for my domain.
          >>
          >> can someone point me to an example or man page. I cannot seem to
          >> find anything related to limiting inbound smtp clients/servers.
          >>
          >> Vernon
          >
          > Minimal config:
          >
          > # main.cf
          >
          > # do not include filter service IPs in mynetworks
          > mynetworks = 127.0.0.0/8 ...
          > smtpd_recipient_restrictions =
          > permit_sasl_authenticated
          > permit_mynetworks
          > reject_unauth_destination
          > check_client_access cidr:/etc/postfix/filter_service
          > reject
          >
          > # filter_service
          > 192.1.0.0/24 OK
          > ... other cidr ranges filter service uses ...
          >
          >
          > -- Noel Jones
          Hey Noel,
          What i have now under the smtpd_*_restrictions:

          smtpd_sender_restrictions =
          smtpd_client_restrictions =
          smtpd_etrn_restrictions = reject
          smtpd_recipient_restrictions =
          reject_non_fqdn_sender,
          reject_non_fqdn_recipient,
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_unauth_destination,
          check_helo_access .....
          check_sender_access ...
          check_client_access (for white listing client sites - just in
          case they get rbl listed)
          reject_rbl_client ....
          permit
          smtpd_data_restrictions =
          reject_unauth_pipelining,
          permit

          What i 'thinking' of is:

          smtpd_sender_restrictions =
          smtpd_client_restrictions =
          permit_sasl_authenticated,
          permit_mynetworks,
          check_client_access cidr:/etc/postfix/filter_service.cidr,
          reject

          The filter_service.cidr would look like
          1.2.3.4/29 OK
          1.2.4.4/29 OK
          0.0.0.0/0 REJECT

          Would it be redundant to have the permit_sasl and permit_mynetworks
          under both the smtpd_client and smtpd_recipient?

          Vernon
        • Noel Jones
          ... You (usually) need permit_sasl_authenticated and permit_mynetworks under each smtpd_*_restrictions in use to exempt trustworthy clients from those checks.
          Message 4 of 6 , Mar 2, 2009
            Vernon A. Fort wrote:
            > Noel Jones wrote:
            >> Vernon A. Fort wrote:
            >>> I have a setup which we use an external mail filtering service and
            >>> need to limit/restrict external client access. Meaning the MX for
            >>> the domain points to the filtering service and they relay checked
            >>> email. I need to limit access to just these network blocks but also
            >>> allow sasl authenticated as well as the internal network.
            >>>
            >>> I also do not want to blindly trust this service so i would like to
            >>> check the IP address as well as ensuring the recipient is for my domain.
            >>>
            >>> can someone point me to an example or man page. I cannot seem to
            >>> find anything related to limiting inbound smtp clients/servers.
            >>>
            >>> Vernon
            >>
            >> Minimal config:
            >>
            >> # main.cf
            >>
            >> # do not include filter service IPs in mynetworks
            >> mynetworks = 127.0.0.0/8 ...
            >> smtpd_recipient_restrictions =
            >> permit_sasl_authenticated
            >> permit_mynetworks
            >> reject_unauth_destination
            >> check_client_access cidr:/etc/postfix/filter_service
            >> reject
            >>
            >> # filter_service
            >> 192.1.0.0/24 OK
            >> ... other cidr ranges filter service uses ...
            >>
            >>
            >> -- Noel Jones
            > Hey Noel,
            > What i have now under the smtpd_*_restrictions:
            >
            > smtpd_sender_restrictions =
            > smtpd_client_restrictions =
            > smtpd_etrn_restrictions = reject
            > smtpd_recipient_restrictions =
            > reject_non_fqdn_sender,
            > reject_non_fqdn_recipient,
            > permit_sasl_authenticated,
            > permit_mynetworks,
            > reject_unauth_destination,
            > check_helo_access .....
            > check_sender_access ...
            > check_client_access (for white listing client sites - just in case
            > they get rbl listed)
            > reject_rbl_client ....
            > permit
            > smtpd_data_restrictions =
            > reject_unauth_pipelining,
            > permit
            >
            > What i 'thinking' of is:
            >
            > smtpd_sender_restrictions =
            > smtpd_client_restrictions =
            > permit_sasl_authenticated,
            > permit_mynetworks,
            > check_client_access cidr:/etc/postfix/filter_service.cidr,
            > reject
            >
            > The filter_service.cidr would look like
            > 1.2.3.4/29 OK
            > 1.2.4.4/29 OK
            > 0.0.0.0/0 REJECT
            >
            > Would it be redundant to have the permit_sasl and permit_mynetworks
            > under both the smtpd_client and smtpd_recipient?
            >
            > Vernon
            >
            >
            >
            >
            >


            You (usually) need permit_sasl_authenticated and
            permit_mynetworks under each smtpd_*_restrictions in use to
            exempt trustworthy clients from those checks. If you use a
            whitelist you will likely need to duplicate that under each
            section too. That's one reason it's often easier to put
            everything under smtpd_recipient_restrictions.

            To add additional restrictions, refer to the example I
            provided earlier:
            # do not include filter service IPs in mynetworks
            mynetworks = 127.0.0.0/8 ...
            smtpd_recipient_restrictions =
            permit_sasl_authenticated
            permit_mynetworks
            reject_unauth_destination
            ... other restrictions here ...
            check_client_access cidr:/etc/postfix/filter_service
            reject

            Important Note: the various check_client_access,
            reject_rbl_client, various helo checks, and
            reject_unauth_pipelining restrictions will see the filter
            service connection info - not the original sender - so they
            are quite limited in usefulness to you. You could use
            reject_rhsbl_sender to reject bad sender domains if you can
            find a service that you consider trustworthy enough for
            rejections.

            -- Noel Jones
          • Vernon A. Fort
            ... I agree, the simpler the better. With the cidr file, i ONLY want to accept email from this filter service meaning do i need to put the 0.0.0.0/0 REJECT at
            Message 5 of 6 , Mar 2, 2009
              Noel Jones wrote:
              > Vernon A. Fort wrote:
              >> Noel Jones wrote:
              >>> Vernon A. Fort wrote:
              >>>> I have a setup which we use an external mail filtering service and
              >>>> need to limit/restrict external client access. Meaning the MX for
              >>>> the domain points to the filtering service and they relay checked
              >>>> email. I need to limit access to just these network blocks but
              >>>> also allow sasl authenticated as well as the internal network.
              >>>>
              >>>> I also do not want to blindly trust this service so i would like to
              >>>> check the IP address as well as ensuring the recipient is for my
              >>>> domain.
              >>>>
              >>>> can someone point me to an example or man page. I cannot seem to
              >>>> find anything related to limiting inbound smtp clients/servers.
              >>>>
              >>>> Vernon
              >>>
              >>> Minimal config:
              >>>
              >>> # main.cf
              >>>
              >>> # do not include filter service IPs in mynetworks
              >>> mynetworks = 127.0.0.0/8 ...
              >>> smtpd_recipient_restrictions =
              >>> permit_sasl_authenticated
              >>> permit_mynetworks
              >>> reject_unauth_destination
              >>> check_client_access cidr:/etc/postfix/filter_service
              >>> reject
              >>>
              >>> # filter_service
              >>> 192.1.0.0/24 OK
              >>> ... other cidr ranges filter service uses ...
              >>>
              >>>
              >>> -- Noel Jones
              >> Hey Noel,
              >> What i have now under the smtpd_*_restrictions:
              >>
              >> smtpd_sender_restrictions =
              >> smtpd_client_restrictions =
              >> smtpd_etrn_restrictions = reject
              >> smtpd_recipient_restrictions =
              >> reject_non_fqdn_sender,
              >> reject_non_fqdn_recipient,
              >> permit_sasl_authenticated,
              >> permit_mynetworks,
              >> reject_unauth_destination,
              >> check_helo_access .....
              >> check_sender_access ...
              >> check_client_access (for white listing client sites - just in
              >> case they get rbl listed)
              >> reject_rbl_client ....
              >> permit
              >> smtpd_data_restrictions =
              >> reject_unauth_pipelining,
              >> permit
              >>
              >> What i 'thinking' of is:
              >>
              >> smtpd_sender_restrictions =
              >> smtpd_client_restrictions =
              >> permit_sasl_authenticated,
              >> permit_mynetworks,
              >> check_client_access cidr:/etc/postfix/filter_service.cidr,
              >> reject
              >>
              >> The filter_service.cidr would look like
              >> 1.2.3.4/29 OK
              >> 1.2.4.4/29 OK
              >> 0.0.0.0/0 REJECT
              >>
              >> Would it be redundant to have the permit_sasl and permit_mynetworks
              >> under both the smtpd_client and smtpd_recipient?
              >>
              >> Vernon
              >>
              >>
              >>
              >>
              >
              >
              > You (usually) need permit_sasl_authenticated and permit_mynetworks
              > under each smtpd_*_restrictions in use to exempt trustworthy clients
              > from those checks. If you use a whitelist you will likely need to
              > duplicate that under each section too. That's one reason it's often
              > easier to put everything under smtpd_recipient_restrictions.
              >
              > To add additional restrictions, refer to the example I provided earlier:
              > # do not include filter service IPs in mynetworks
              > mynetworks = 127.0.0.0/8 ...
              > smtpd_recipient_restrictions =
              > permit_sasl_authenticated
              > permit_mynetworks
              > reject_unauth_destination
              > ... other restrictions here ...
              > check_client_access cidr:/etc/postfix/filter_service
              > reject
              >
              > Important Note: the various check_client_access, reject_rbl_client,
              > various helo checks, and reject_unauth_pipelining restrictions will
              > see the filter service connection info - not the original sender - so
              > they are quite limited in usefulness to you. You could use
              > reject_rhsbl_sender to reject bad sender domains if you can find a
              > service that you consider trustworthy enough for rejections.
              >
              > -- Noel Jones
              I agree, the simpler the better. With the cidr file, i ONLY want to
              accept email from this filter service meaning do i need to put the
              0.0.0.0/0 REJECT at the end of the list?

              Vernon
            • Noel Jones
              ... The reject after the check_client_access takes care rejecting any client not permitted by the cidr table (or other rules), and makes it clear at a glance
              Message 6 of 6 , Mar 2, 2009
                Vernon A. Fort wrote:
                > I agree, the simpler the better. With the cidr file, i ONLY want to
                > accept email from this filter service meaning do i need to put the
                > 0.0.0.0/0 REJECT at the end of the list?
                >
                > Vernon

                The "reject" after the check_client_access takes care
                rejecting any client not permitted by the cidr table (or other
                rules), and makes it clear at a glance that nothing else will
                be accepted.

                That said, adding 0.0.0.0/0 REJECT at the end of the cidr
                table isn't exactly wrong, just unnecessary.

                -- Noel Jones
              Your message has been successfully submitted and would be delivered to recipients shortly.