Loading ...
Sorry, an error occurred while loading the content.

sender and recipient check on submit server

Expand Messages
  • Gábor Lénárt
    Hi, I have a mail submit server for our users. What I would like is checking sender and rcpt addresses if they belong to the domains at least which are handled
    Message 1 of 2 , Apr 4, 2011
    • 0 Attachment
      Hi,

      I have a mail submit server for our users. What I would like is checking
      sender and rcpt addresses if they belong to the domains at least which are
      handled by us (of course I can't check if mail is sent to another domain
      where I don't know the valid addresses, and I don't want to do SAV).

      I have valid addresses and our domain list in LDAP. What made me thing that
      it's possible at all to do this without a custom policy server:

      1. check if domain part of the address is listed as our domain in LDAP
      if not, there is no further check by address validation (well, just the
      usual DNS ones)
      2. if mailing of domain is handled by us, check if there is an address
      like "localpart@domain" or "@domain" (the second form is used to signal
      that all localparts are valid within that domain, ie: user has own MTA
      or so). If there is no match, I want to reject the mail submission.
      3. Of course I want my users to use SMTP authentication (it works,
      using dovecot auth, just I mention here). Also some users may allowed
      to send mails without SMTP authentication from some well defined IP
      addresses though (also stored in LDAP).

      I used the notion of "address" because I would like to have the same check
      for rcpt and sender, because it also does not make too much sense to use
      an invalid sender (not existing within the domain handled by us). Point 3 is
      only an additional information, the important part is 1+2.

      Of course I can do basic ldap lookups with postfix, but I am not sure it's
      possible at all, to have more complex conditions, I mean: loc@domain can
      be valid or invalid based on the fact that "domain" is handled by us or not.
      So basically I need at least two queries it seems: if we handle a given
      domain then: if it is, is the "loc" local part is valid or not.

      Additional information: I would like to do this with only ldap maps at smtpd
      sender and recipient restrictions (not with postfix's rcpt/sender maps etc),
      since I want my own messages (including Hungarian) not postfix's built-in
      ones. Is it possble, or should I write a policy server instead? Or am I
      wrong somewhere in my theory about solving this problem? (on long term I
      have the idea to use _only_ policy server to decide, since I can use SQL
      based logging from the policy server at every protocol state, I can do
      custom complicated queries and conditions, also I can use my own messages
      everywhere, etc. But for now there would be cool to have some more quick
      solution for the problem I've described).

      Thanks a lot in advance,

      Gábor
    • Noel Jones
      ... If you have your recipient maps configured correctly, you can use the built-in controls. http://www.postfix.org/postconf.5.html#reject_unlisted_recipient
      Message 2 of 2 , Apr 4, 2011
      • 0 Attachment
        On 4/4/2011 3:35 AM, Gábor Lénárt wrote:
        > Hi,
        >
        > I have a mail submit server for our users. What I would like is checking
        > sender and rcpt addresses if they belong to the domains at least which are
        > handled by us (of course I can't check if mail is sent to another domain
        > where I don't know the valid addresses, and I don't want to do SAV).
        >
        > I have valid addresses and our domain list in LDAP. What made me thing that
        > it's possible at all to do this without a custom policy server:
        >
        > 1. check if domain part of the address is listed as our domain in LDAP
        > if not, there is no further check by address validation (well, just the
        > usual DNS ones)
        > 2. if mailing of domain is handled by us, check if there is an address
        > like "localpart@domain" or "@domain" (the second form is used to signal
        > that all localparts are valid within that domain, ie: user has own MTA
        > or so). If there is no match, I want to reject the mail submission.
        > 3. Of course I want my users to use SMTP authentication (it works,
        > using dovecot auth, just I mention here). Also some users may allowed
        > to send mails without SMTP authentication from some well defined IP
        > addresses though (also stored in LDAP).
        >
        > I used the notion of "address" because I would like to have the same check
        > for rcpt and sender, because it also does not make too much sense to use
        > an invalid sender (not existing within the domain handled by us). Point 3 is
        > only an additional information, the important part is 1+2.
        >
        > Of course I can do basic ldap lookups with postfix, but I am not sure it's
        > possible at all, to have more complex conditions, I mean: loc@domain can
        > be valid or invalid based on the fact that "domain" is handled by us or not.
        > So basically I need at least two queries it seems: if we handle a given
        > domain then: if it is, is the "loc" local part is valid or not.
        >
        > Additional information: I would like to do this with only ldap maps at smtpd
        > sender and recipient restrictions (not with postfix's rcpt/sender maps etc),
        > since I want my own messages (including Hungarian) not postfix's built-in
        > ones. Is it possble, or should I write a policy server instead? Or am I
        > wrong somewhere in my theory about solving this problem? (on long term I
        > have the idea to use _only_ policy server to decide, since I can use SQL
        > based logging from the policy server at every protocol state, I can do
        > custom complicated queries and conditions, also I can use my own messages
        > everywhere, etc. But for now there would be cool to have some more quick
        > solution for the problem I've described).
        >
        > Thanks a lot in advance,
        >
        > Gábor


        If you have your recipient maps configured correctly, you can
        use the built-in controls.

        http://www.postfix.org/postconf.5.html#reject_unlisted_recipient
        http://www.postfix.org/postconf.5.html#reject_unlisted_recipient

        http://www.postfix.org/postconf.5.html#reject_unlisted_sender
        http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender



        -- Noel Jones
      Your message has been successfully submitted and would be delivered to recipients shortly.