Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_recipient_restrictions has no effect

Expand Messages
  • mouss
    ... this is not recommended. when you use it, you are on your own. ... this doesn t work. you should see a warning in your logs. if it worked, you d be an open
    Message 1 of 12 , May 30, 2010
    • 0 Attachment
      Jarrod Neven a écrit :
      > I am trying to setup restriction to prevent selected users from sending
      > email externally. I have followed the "Restricting what users can send
      > mail to off-site destinations" guide at
      > http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
      > having any effect.
      >
      > It appears that no matter what I do smtpd_recipient_restrictions has no
      > effect. Have set the hash file to an invalid file and created syntax
      > errors and there are no error messages in the log, even set
      > smtpd_recipient_restrictions = reject and it did nothing.
      >
      > In maser.cf I have added -v -v to the smtpd process and it shows no
      > mention of the value smtpd_recipient_restrictions, looks like it is
      > ignored completely.
      >
      > Is anything that can prevent smtpd_recipient_restrictions from working?
      > Maybe a compiled option missing?
      >
      > I have postfix 2.5.1 on centos 64bit
      >
      > #postconf -n
      > config_directory = /etc/postfix
      > mail_owner = postfix
      > setgid_group = postdrop
      > smtpd_client_restrictions = check_sender_access
      > hash:/etc/postfix/restricted_senders
      > smtpd_delay_reject = no

      this is not recommended. when you use it, you are on your own.

      > smtpd_recipient_restrictions = check_sender_access
      > hash:/etc/postfix/restricted_senders

      this doesn't work. you should see a warning in your logs.
      if it worked, you'd be an open relay unless your check_sender_access
      rejects all mail.


      anyway, look at your master.cf. you may have overriden your smtpd
      restrictions there...

      > smtpd_restriction_classes = local_only
      > smtpd_sender_restrictions = check_sender_access
      > hash:/etc/postfix/restricted_senders
      > virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
      > <http://mysql_virtual_alias_maps.cf>
      > virtual_gid_maps = static:12
      > virtual_mailbox_base = /var/vmail
      > virtual_mailbox_domains =
      > mysql:$config_directory/mysql_virtual_mailbox_domains.cf
      > <http://mysql_virtual_mailbox_domains.cf>
      > virtual_mailbox_limit_maps =
      > mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
      > <http://mysql_virtual_mailbox_limit_maps.cf>
      > virtual_mailbox_maps =
      > mysql:$config_directory/mysql_virtual_mailbox_maps.cf
      > <http://mysql_virtual_mailbox_maps.cf>
      > virtual_minimum_uid = 101
      > virtual_transport = dovecot
      > virtual_uid_maps = static:101
      >
    • Jarrod Neven
      ... Good thinking, from my little understanding the master.cf is ok # grep -v ^ * (#.* ) ?$ /etc/postfix/master.cf smtp inet n - n
      Message 2 of 12 , May 31, 2010
      • 0 Attachment
        > anyway, look at your master.cf. you may have overriden your smtpd
        > restrictions there...

        Good thinking, from my little understanding the master.cf is ok

        # grep -v '^ *\(#.*\)\?$' /etc/postfix/master.cf
        smtp inet n - n - - smtpd -v - v
        pickup fifo n - n 60 1 pickup
        cleanup unix n - n - 0 cleanup
        qmgr fifo n - n 300 1 qmgr
        tlsmgr unix - - n 1000? 1 tlsmgr
        rewrite unix - - n - - trivial-rewrite
        bounce unix - - n - 0 bounce
        defer unix - - n - 0 bounce
        trace unix - - n - 0 bounce
        verify unix - - n - 1 verify
        flush unix n - n 1000? 0 flush
        proxymap unix - - n - - proxymap
        proxywrite unix - - n - 1 proxymap
        smtp unix - - n - - smtp -v -v
        relay unix - - n - - smtp
        -o smtp_fallback_relay=
        showq unix n - n - - showq
        error unix - - n - - error
        retry unix - - n - - error
        discard unix - - n - - discard
        local unix - n n - - local
        virtual unix - n n - - virtual
        lmtp unix - - n - - lmtp
        anvil unix - - n - 1 anvil
        scache unix - - n - 1 scache
        dovecot unix - n n - - pipe
        flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d
        ${recipient}



        I am aware that this configuration will open the postfix for spam usage, ATM
        the focus is to limit who can send external emails.

        > As of the original question, using "static:reject" for
        > smtpd_recipient_restrictions will make postfix reject just
        > everything.

        As suggested by Michael Tokarev I have changed the config to reject
        everything yet I was still able to send mail. Here is the final config:

        #postconf -n
        config_directory = /etc/postfix
        debug_peer_level = 9
        disable_vrfy_command = yes
        mail_owner = postfix
        setgid_group = postdrop
        smtp_tls_loglevel = 9
        smtpd_client_port_logging = yes
        smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
        smtpd_data_restrictions = reject_unauth_pipelining,permit
        smtpd_delay_reject = yes
        smtpd_helo_required = yes
        smtpd_recipient_restrictions = static:reject
        smtpd_restriction_classes = local_only
        virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
        virtual_gid_maps = static:12
        virtual_mailbox_base = /var/vmail
        virtual_mailbox_domains =
        mysql:$config_directory/mysql_virtual_mailbox_domains.cf
        virtual_mailbox_limit_maps =
        mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
        virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
        virtual_minimum_uid = 101
        virtual_transport = dovecot
        virtual_uid_maps = static:101

        The log file for this can be seen here:

        http://engage.neven.info/postfix-static.txt


        Noel Jones:
        > There are no compile options that will affect this. Show
        > non-verbose postfix logging of a transaction you feel is
        > handled incorrectly.

        Using this config:
        # postconf -n
        config_directory = /etc/postfix
        debug_peer_level = 9
        disable_vrfy_command = yes
        mail_owner = postfix
        setgid_group = postdrop
        smtp_tls_loglevel = 9
        smtpd_client_port_logging = yes
        smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
        smtpd_data_restrictions = reject_unauth_pipelining,permit
        smtpd_delay_reject = yes
        smtpd_helo_required = yes
        smtpd_restriction_classes = local_only
        smtpd_sender_restrictions = check_sender_access
        hash:/etc/postfix/restricted_senders
        virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
        virtual_gid_maps = static:12
        virtual_mailbox_base = /var/vmail
        virtual_mailbox_domains =
        mysql:$config_directory/mysql_virtual_mailbox_domains.cf
        virtual_mailbox_limit_maps =
        mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
        virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
        virtual_minimum_uid = 101
        virtual_transport = dovecot
        virtual_uid_maps = static:101

        Here is the verbose logging
        http://engage.neven.info/postfix-check_sender_access.txt

        The non verbose version:
        ay 31 22:03:50 DKPADMMAIL1 postfix/postfix-script[3329]: starting the
        Postfix mail system
        May 31 22:03:50 DKPADMMAIL1 postfix/master[3330]: daemon started -- version
        2.5.1, configuration /etc/postfix
        May 31 22:04:30 DKPADMMAIL1 postfix/pickup[3332]: 39EBD5D806B: uid=48
        from=<test1@...>
        May 31 22:04:30 DKPADMMAIL1 postfix/cleanup[3338]: 39EBD5D806B:
        message-id=<29bd4605116b02e27bcddc77b33b598b.squirrel@dkpadmmail1>
        May 31 22:04:30 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B:
        from=<test1@...>, size=677, nrcpt=1 (queue active)
        May 31 22:04:34 DKPADMMAIL1 postfix/smtp[3343]: 39EBD5D806B:
        to=<####.neven@...>,
        relay=gmail-smtp-in.l.google.com[74.125.53.27]:25, delay=4.2,
        delays=0.11/0.01/2.6/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1275307474
        k17si9893297rvh.45)
        May 31 22:04:34 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B: removed
      • Michael Orlitzky
        ... smtpd_foo_restrictions only apply to mail received by smtpd (e.g. somebody connects on port 25 and begins mashing the keyboard). When you send mail via the
        Message 3 of 12 , May 31, 2010
        • 0 Attachment
          On 05/31/2010 08:15 AM, Jarrod Neven wrote:
          > The non verbose version:
          > ay 31 22:03:50 DKPADMMAIL1 postfix/postfix-script[3329]: starting the
          > Postfix mail system
          > May 31 22:03:50 DKPADMMAIL1 postfix/master[3330]: daemon started -- version
          > 2.5.1, configuration /etc/postfix
          > May 31 22:04:30 DKPADMMAIL1 postfix/pickup[3332]: 39EBD5D806B: uid=48
          > from=<test1@...>
          > May 31 22:04:30 DKPADMMAIL1 postfix/cleanup[3338]: 39EBD5D806B:
          > message-id=<29bd4605116b02e27bcddc77b33b598b.squirrel@dkpadmmail1>
          > May 31 22:04:30 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B:
          > from=<test1@...>, size=677, nrcpt=1 (queue active)
          > May 31 22:04:34 DKPADMMAIL1 postfix/smtp[3343]: 39EBD5D806B:
          > to=<####.neven@...>,
          > relay=gmail-smtp-in.l.google.com[74.125.53.27]:25, delay=4.2,
          > delays=0.11/0.01/2.6/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1275307474
          > k17si9893297rvh.45)
          > May 31 22:04:34 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B: removed

          smtpd_foo_restrictions only apply to mail received by smtpd (e.g.
          somebody connects on port 25 and begins mashing the keyboard). When you
          send mail via the sendmail command, the Postfix pickup daemon steals it
          and feeds it into cleanup directly.
        • Noel Jones
          ... This mail was not submitted via SMTP, but rather via the local sendmail(1) command. smtpd_*_restrictions only apply to mail submitted via SMTP. -- Noel
          Message 4 of 12 , May 31, 2010
          • 0 Attachment
            On 5/31/2010 7:15 AM, Jarrod Neven wrote:
            > Noel Jones:
            >> There are no compile options that will affect this. Show
            >> non-verbose postfix logging of a transaction you feel is
            >> handled incorrectly.
            >
            > Using this config:
            > # postconf -n
            > config_directory = /etc/postfix
            > debug_peer_level = 9
            > disable_vrfy_command = yes
            > mail_owner = postfix
            > setgid_group = postdrop
            > smtp_tls_loglevel = 9
            > smtpd_client_port_logging = yes
            > smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
            > smtpd_data_restrictions = reject_unauth_pipelining,permit
            > smtpd_delay_reject = yes
            > smtpd_helo_required = yes
            > smtpd_restriction_classes = local_only
            > smtpd_sender_restrictions = check_sender_access
            > hash:/etc/postfix/restricted_senders
            > virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
            > virtual_gid_maps = static:12
            > virtual_mailbox_base = /var/vmail
            > virtual_mailbox_domains =
            > mysql:$config_directory/mysql_virtual_mailbox_domains.cf
            > virtual_mailbox_limit_maps =
            > mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
            > virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
            > virtual_minimum_uid = 101
            > virtual_transport = dovecot
            > virtual_uid_maps = static:101
            >
            > Here is the verbose logging
            > http://engage.neven.info/postfix-check_sender_access.txt
            >
            > The non verbose version:
            > ay 31 22:03:50 DKPADMMAIL1 postfix/postfix-script[3329]: starting the
            > Postfix mail system
            > May 31 22:03:50 DKPADMMAIL1 postfix/master[3330]: daemon started -- version
            > 2.5.1, configuration /etc/postfix
            > May 31 22:04:30 DKPADMMAIL1 postfix/pickup[3332]: 39EBD5D806B: uid=48
            > from=<test1@...>
            > May 31 22:04:30 DKPADMMAIL1 postfix/cleanup[3338]: 39EBD5D806B:
            > message-id=<29bd4605116b02e27bcddc77b33b598b.squirrel@dkpadmmail1>
            > May 31 22:04:30 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B:
            > from=<test1@...>, size=677, nrcpt=1 (queue active)
            > May 31 22:04:34 DKPADMMAIL1 postfix/smtp[3343]: 39EBD5D806B:
            > to=<####.neven@...>,
            > relay=gmail-smtp-in.l.google.com[74.125.53.27]:25, delay=4.2,
            > delays=0.11/0.01/2.6/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1275307474
            > k17si9893297rvh.45)
            > May 31 22:04:34 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B: removed


            This mail was not submitted via SMTP, but rather via the local
            sendmail(1) command.

            smtpd_*_restrictions only apply to mail submitted via SMTP.

            -- Noel Jones
          • mouss
            ... sigh. This is mail submitted via the sendmail command. such mail is not subject to smtpd_* parameters. smtpd_* parameters only apply to smtpd and derived
            Message 5 of 12 , May 31, 2010
            • 0 Attachment
              Jarrod Neven a écrit :
              >> a[snip]
              > http://engage.neven.info/postfix-static.txt
              >

              sigh. This is mail submitted via the sendmail command. such mail is not
              subject to smtpd_* parameters. smtpd_* parameters only apply to smtpd
              and derived processes.

              The sendmail command is used by many programs (including cron, ...). and
              it is not supposed to fail.

              This is the reason why we ask for logs at the first time.

              now this is general:

              - do not post verbose logs unless you are explicitely asked to do so
              - do put your logs in the message (not on a web site) the first time you
              ask (do not say "if you think you need logs blah blah". we need nothing.
              if you have a problem, a question, ... it is your duty to make it easy
              for others to help you. if that's hard, send your check and we'll do the
              work for you).


              > [snip]
            • Jarrod Neven
              Thanks guys for pointing out that the mail was sent via send mail, I could not tell that by the logs. SquirrelMail defaults to this and I was not smart enough
              Message 6 of 12 , May 31, 2010
              • 0 Attachment
                Thanks guys for pointing out that the mail was sent via send mail, I could
                not tell that by the logs. SquirrelMail defaults to this and I was not smart
                enough to know it needed to be changed.

                > - do not post verbose logs unless you are explicitely asked to do so
                > - do put your logs in the message (not on a web site) the first time you
                > ask (do not say "if you think you need logs blah blah". we need nothing.
                > if you have a problem, a question, ... it is your duty to make it easy
                > for others to help you. if that's hard, send your check and we'll do the
                > work for you).

                Mouss, I will keep that in mind for the future.
              Your message has been successfully submitted and would be delivered to recipients shortly.