Loading ...
Sorry, an error occurred while loading the content.

Re: How to ensure that either FROM or TO is local

Expand Messages
  • Serge Fonville
    Thx for the reply ... I will look into those then ... With the current configuration I d expect some sort of denied message for MAIL FROM: when it is not in
    Message 1 of 13 , Jan 3, 2010
    • 0 Attachment
      Thx for the reply

      > Questions similar to yours come up fairly often, I'm not sure why
      > noone's jumped in yet with a rough solution that will do what you
      > want. What you've mentioned you want:
      >
      >> How do I ensure that my mail server can only send mails either to or
      >> from mydomains?
      >
      > I *think* the short, correct answer is to use a policy server:
      > http://www.postfix.org/SMTPD_POLICY_README.html
      I will look into those then

      >> When I add the following to main.cf, this should perform the check, so
      >> only people I know are allowed to send through postfix and they can
      >> send anywhere. This should also prevent anyone to send mail from an
      >> address that isn't one of mine.
      >>
      >> smtpd_reject_unlisted_recipient = no
      >> smtpd_reject_unlisted_sender = yes
      >> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
      >> smtpd_sender_restrictions =
      >> Unfortunately, it does not work.
      >
      > When you report that something doesn't work, it's best to provide log
      > entries that support what you're saying. Basically, it's most helpful
      > if you:
      > 1. Describe what you expected to happen
      > 2. Describe what you saw actually happened.
      > 3. Show the log entries so we can see what happened.
      With the current configuration I'd expect some sort of 'denied'
      message for MAIL FROM: when it is not in mydomains
      instead I get '250 2.1.0 Ok' when specifying a MAIL FROM that is not
      in mydomains

      For example:
      Config:
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      config_directory = /etc/postfix
      inet_interfaces = all
      mailbox_size_limit = 0
      mydestination =
      myhostname = server01.fonville-it.nl
      mynetworks = 0.0.0.0
      myorigin = /etc/mailname
      readme_directory = no
      recipient_delimiter = +
      relayhost =
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
      smtpd_reject_unlisted_recipient = no
      smtpd_reject_unlisted_sender = yes
      smtpd_sender_restrictions =
      smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      virtual_mailbox_domains = mail.fonville-it.nl, fonville-it.nl
      virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf
      virtual_transport = zarafa

      Telnet session;
      220 server01.fonville-it.nl ESMTP Postfix (Ubuntu)
      ehlo fonville-it.nl
      250-server01.fonville-it.nl
      250-PIPELINING
      250-SIZE 10240000
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      MAIL FROM: <serge[DOT]fonville[AT]gmail[DOT]com>
      250 2.1.0 Ok
      RCPT TO: <sergefonville[AT]fonville-it[DOT]nl>
      250 2.1.5 Ok
      RSET
      250 2.0.0 Ok
      MAIL FROM: <sergefonville[AT]fonville-it[DOT]nl>
      250 2.1.0 Ok
      RCPT TO: <serge[DOT]fonville[AT]gmail[DOT]com>
      554 5.7.1 <<serge[DOT]fonville[AT]gmail[DOT]com>: Relay access denied
      QUIT
      221 2.0.0 Bye

      Log:
      Jan 3 14:36:10 server01 postfix/smtpd[9110]: connect from localhost[127.0.0.1]
      Jan 3 14:36:38 server01 postfix/smtpd[9110]: DF06F5302F:
      client=localhost[127.0.0.1]
      Jan 3 14:37:08 server01 postfix/smtpd[9110]: NOQUEUE: reject: RCPT
      from localhost[127.0.0.1]: 554 5.7.1 <serge.fonville@...>: Relay
      access denied; from=<sergefonville@...>
      to=<serge.fonville@...> proto=ESMTP helo=<fonville-it.nl>
      Jan 3 14:37:13 server01 postfix/smtpd[9110]: disconnect from
      localhost[127.0.0.1]

      No particular logging is present, /var/log/mail.log only shows what is
      also visible in the telnet session

      >> mydestination =
      > This is likely to be wrong. I can see you're using virtual mailboxes,
      > but not having any local domains at all is odd.
      I removed these in the many attempts

      >> mynetworks = 0.0.0.0
      > This is *definitely* very wrong! smtpd_recipient_restrictions will
      > allow ANY client in mynetworks to relay mail to any destination. I
      > don't know if using smtpd_reject_unlisted_sender would prevent
      > anything going wrong here, but this is likely to make you an open
      > relay.
      I am aware of open relay, that's why it is no longer internet accessible


      Thanks a lot for all the help so far

      Regards,

      Serge Fonivlle
      --
      http://www.sergefonville.nl

      Convince Google!!
      They need to support Adsense over SSL
      https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
      http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
    • Serge Fonville
      ... I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do not see how I can use this to solve my problem. Perhaps I am missing something... Any
      Message 2 of 13 , Jan 3, 2010
      • 0 Attachment
        >> I *think* the short, correct answer is to use a policy server:
        >> http://www.postfix.org/SMTPD_POLICY_README.html
        > I will look into those then
        I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do
        not see how I can use this to solve my problem.
        Perhaps I am missing something...

        Any help is greatly appreciated

        Regards,

        Serge Fonville

        --
        http://www.sergefonville.nl

        Convince Google!!
        They need to support Adsense over SSL
        https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
        http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
      • Wietse Venema
        ... The policy server can reject mail from a remote network with a local sender address. Isn t that what you want? As an added bonus, it can also reject mail
        Message 3 of 13 , Jan 3, 2010
        • 0 Attachment
          Serge Fonville:
          > >> I *think* the short, correct answer is to use a policy server:
          > >> http://www.postfix.org/SMTPD_POLICY_README.html
          > > I will look into those then
          > I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do
          > not see how I can use this to solve my problem.
          > Perhaps I am missing something...
          >
          > Any help is greatly appreciated

          The policy server can reject mail from a remote network with a
          local sender address.

          Isn't that what you want?

          As an added bonus, it can also reject mail from a local network
          with a remote sender address. This can help to stop outbound spam
          from zombie-infested PCs.

          Wietse
        • Serge Fonville
          Wietse, Thx for the reply ... Yes exactly. I read into the page again and it seems to be suitable for my purpose. Unfortunately it also seems to mean I have to
          Message 4 of 13 , Jan 3, 2010
          • 0 Attachment
            Wietse,

            Thx for the reply

            > The policy server can reject mail from a remote network with a
            > local sender address.
            >
            > Isn't that what you want?
            >
            > As an added bonus, it can also reject mail from a local network
            > with a remote sender address. This can help to stop outbound spam
            > from zombie-infested PCs.

            Yes exactly.

            I read into the page again and it seems to be suitable for my purpose.
            Unfortunately it also seems to mean I have to write my own policy server..
            At least I have a starting point from now on.

            Thanks a lot for the help!

            Regards,

            Serge Fonville




            --
            http://www.sergefonville.nl

            Convince Google!!
            They need to support Adsense over SSL
            https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
            http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
          • /dev/rob0
            ... While it was intended, no doubt, to be very wrong, it failed. Lacking a valid CIDR expression, that only matches the single IPv4 address of 0.0.0.0, which,
            Message 5 of 13 , Jan 3, 2010
            • 0 Attachment
              On Sun, Jan 03, 2010 at 09:58:15PM +1100, Barney Desmond wrote:
              > > mynetworks = 0.0.0.0
              > This is *definitely* very wrong! smtpd_recipient_restrictions will
              > allow ANY client in mynetworks to relay mail to any destination. I

              While it was intended, no doubt, to be very wrong, it failed. Lacking
              a valid CIDR expression, that only matches the single IPv4 address of
              0.0.0.0, which, having special meaning in networking, is unroutable.
              A setting of equivalent functionality is "mynetworks =".

              The OP would be well advised to review the BASIC_CONFIGURATION_README,
              listing in $mynetworks the client networks which should be allowed to
              relay.

              If the OP does not wish to allow any to relay on the basis of IP
              address unless using a "local sender", as the $SUBJECT suggests, the
              solution is pretty simple.

              main.cf :
              mynetworks = real.IP.add.ress/CIDR[, ...]
              smtpd_recipient_restrictions = reject_unlisted_sender,
              permit_mynetworks, permit_sasl_authenticated,
              reject_unauth_destination[, ...]

              > don't know if using smtpd_reject_unlisted_sender would prevent
              > anything going wrong here, but this is likely to make you an open
              > relay.

              If the wrong thing had been done correctly ;) I think this would have
              worked too, that is, if I understood the OP's goal correctly.
              --
              Offlist mail to this address is discarded unless
              "/dev/rob0" or "not-spam" is in Subject: header
            • Serge Fonville
              Thx for the reply. ... I read all the postfix docs I could find... ... This did not seem to work as expected. ... I m using a virtual transport for all my
              Message 6 of 13 , Jan 4, 2010
              • 0 Attachment
                Thx for the reply.

                > While it was intended, no doubt, to be very wrong, it failed. Lacking
                > a valid CIDR expression, that only matches the single IPv4 address of
                > 0.0.0.0, which, having special meaning in networking, is unroutable.
                > A setting of equivalent functionality is "mynetworks =".
                >
                > The OP would be well advised to review the BASIC_CONFIGURATION_README,
                > listing in $mynetworks the client networks which should be allowed to
                > relay.
                I read all the postfix docs I could find...

                > If the OP does not wish to allow any to relay on the basis of IP
                > address unless using a "local sender", as the $SUBJECT suggests, the
                > solution is pretty simple.
                >
                > main.cf :
                > mynetworks = real.IP.add.ress/CIDR[, ...]
                > smtpd_recipient_restrictions = reject_unlisted_sender,
                >    permit_mynetworks, permit_sasl_authenticated,
                >    reject_unauth_destination[, ...]
                This did not seem to work as expected.

                >> don't know if using smtpd_reject_unlisted_sender would prevent
                >> anything going wrong here, but this is likely to make you an open
                >> relay.
                >
                > If the wrong thing had been done correctly ;) I think this would have
                > worked too, that is, if I understood the OP's goal correctly.

                I'm using a virtual transport for all my mail.
                With local mail I meant all mail that goes through this transport.
                To verify the 'local' users I use LDAP. It contains all my users and
                their email addresses.

                So basically, what my 'ideal' configuration would offer

                If someone from a none private IP (or localhost) tries to send a mail
                it is required to have a recipient that is part of the service that
                offers the virtual transport (this way internal people can send to
                each other and to people outside the interna; environment.
                When someone from a public IP tries to send a mail it is required that
                the sender is an unkown address and the recipient is known.

                This (I believe) can be resolved by using either two instances. or
                some sort of policy daemon.

                What I currently don't know is how I would go about and resolve this.

                I hope I have clarified any euhh... unclarities

                Thanks a lot!

                Regards,

                Serge Fonville
                --
                http://www.sergefonville.nl

                Convince Google!!
                They need to support Adsense over SSL
                https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
                http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
              Your message has been successfully submitted and would be delivered to recipients shortly.