Loading ...
Sorry, an error occurred while loading the content.

check_recipient_access with exceptions

Expand Messages
  • Vladimir Parkhaev
    Hello, I am running a mail relay that forwards all mail from some management network to a corporate MTA. For security reasons, my gateway is configured to
    Message 1 of 4 , Nov 30, 2011
    • 0 Attachment
      Hello,


      I am running a mail relay that forwards all mail from some "management
      network" to a corporate MTA. For security reasons, my gateway is configured to
      relay mail only to internal destination addresses (users@...). There are a few
      exceptions and all "external" addresses must be whitelisted.

      Pretty basic setup -
      smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/access,
      reject_unauth_destination, permit

      /usr/local/etc/postfix/access:
      user1@... OK
      user2@... OK


      It did what I needed so far. Now there is a new host ABC that would need
      to send mail to a large number of external addresses and whitelist management becomes a pain.


      I am looking for a way to create an exception for check_recipient_access, ideally, IP-based.
      Basically, I would like to allow IP of ABC to freely send mail outside and to enforce check_recipient_access
      for all other hosts.

      I checked some smtpd_restriction_classes examples, but did find anything similar.

      Any ideas?

      Thank you.



      --
      .signature: No such file or directory
    • Viktor Dukhovni
      On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote: ... As follows (and avoid using access , name each table after its specific role): main.cf:
      Message 2 of 4 , Nov 30, 2011
      • 0 Attachment
        On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote:

        Augment this:

        > smtpd_recipient_restrictions =
        > check_recipient_access hash:/usr/local/etc/postfix/access,
        > reject_unauth_destination,
        > permit

        As follows (and avoid using "access", name each table after its
        specific role):

        main.cf:
        cidr = cidr:${config_directory}/
        indexed = ${default_database_type}:${config_directory}/
        #
        smtpd_recipient_restrictions =
        check_client_access ${cidr}trusted-clients,
        check_recipient_access ${indexed}rcpt-whitelist,
        reject_unauth_destination,
        permit

        /usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
        user1@... OK
        user2@... OK

        /usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
        192.0.2.1 permit

        --
        Viktor.
      • Jeroen Geilman
        ... I think you meant: /usr/local/etc/postfix/trusted-clients: (no postmap for cidr tables) 192.0.2.1 permit -- J.
        Message 3 of 4 , Dec 1, 2011
        • 0 Attachment
          On 2011-12-01 02:39, Viktor Dukhovni wrote:
          > On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote:
          >
          > Augment this:
          >
          >> smtpd_recipient_restrictions =
          >> check_recipient_access hash:/usr/local/etc/postfix/access,
          >> reject_unauth_destination,
          >> permit
          > As follows (and avoid using "access", name each table after its
          > specific role):
          >
          > main.cf:
          > cidr = cidr:${config_directory}/
          > indexed = ${default_database_type}:${config_directory}/
          > #
          > smtpd_recipient_restrictions =
          > check_client_access ${cidr}trusted-clients,
          > check_recipient_access ${indexed}rcpt-whitelist,
          > reject_unauth_destination,
          > permit
          >
          > /usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
          > user1@... OK
          > user2@... OK
          >
          > /usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
          > 192.0.2.1 permit

          I think you meant:

          /usr/local/etc/postfix/trusted-clients: (no postmap for cidr tables)
          192.0.2.1 permit


          --
          J.
        • Vladimir Parkhaev
          It is much easier that I thought. :) Thank you. ... -- .signature: No such file or directory
          Message 4 of 4 , Dec 1, 2011
          • 0 Attachment
            It is much easier that I thought. :)

            Thank you.



            Quoting Viktor Dukhovni (postfix-users@...):
            > On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote:
            >
            > Augment this:
            >
            > > smtpd_recipient_restrictions =
            > > check_recipient_access hash:/usr/local/etc/postfix/access,
            > > reject_unauth_destination,
            > > permit
            >
            > As follows (and avoid using "access", name each table after its
            > specific role):
            >
            > main.cf:
            > cidr = cidr:${config_directory}/
            > indexed = ${default_database_type}:${config_directory}/
            > #
            > smtpd_recipient_restrictions =
            > check_client_access ${cidr}trusted-clients,
            > check_recipient_access ${indexed}rcpt-whitelist,
            > reject_unauth_destination,
            > permit
            >
            > /usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
            > user1@... OK
            > user2@... OK
            >
            > /usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
            > 192.0.2.1 permit
            >
            > --
            > Viktor.
            >

            --
            .signature: No such file or directory
          Your message has been successfully submitted and would be delivered to recipients shortly.