Loading ...
Sorry, an error occurred while loading the content.

Relay Exceptions

Expand Messages
  • Tom Tucker
    I am struggling with a configuration that might be impossible. Hopefully the list can help guide me. I want to allow internal systems the ability to relay
    Message 1 of 10 , Jan 22, 2013
    • 0 Attachment


      I am struggling with a configuration that might be impossible.  Hopefully the list can help guide me.  

      I want to allow internal systems the ability to relay emails to my domains even though they might get caught with 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions to support such.


      Current non-working configuration for this scenario
      ------------------------------------------------------------------------
      smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender

      smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient

      Thank you in advance,
    • Stan Hoeppner
      ... Don t specify the separate restriction classes. Put everything under smtpd_recipient_restrictions. This way you can manipulate the precise order of your
      Message 2 of 10 , Jan 23, 2013
      • 0 Attachment
        On 1/22/2013 8:52 PM, Tom Tucker wrote:
        > I am struggling with a configuration that might be impossible. Hopefully
        > the list can help guide me.
        >
        > I want to allow internal systems the ability to relay emails to my domains
        > even though they might get caught with
        > 'reject_unknown_reverse_client_hostname'. Possible? If yes, I am unsure
        > how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions
        > to support such.
        >
        >
        > Current non-working configuration for this scenario
        > ------------------------------------------------------------------------
        > smtpd_sender_restrictions = permit_mynetworks,
        > reject_unknown_sender_domain, reject_non_fqdn_sender
        >
        > smtpd_recipient_restrictions = reject_unknown_reverse_client_hostname,
        > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
        > reject_unauth_destination, reject_non_fqdn_recipient,
        > reject_unknown_recipient_domain, reject_unverified_recipient

        Don't specify the separate restriction classes. Put everything under
        smtpd_recipient_restrictions. This way you can manipulate the precise
        order of your restrictions. Remember, "first match wins". If you
        specify them separately you must put all permit actions at the start of
        each class section. Ergo each would need to start each with
        "permit_mynetworks". Here's an example of the EURR method. There is no
        client, sender, or helo restriction section, only this:

        smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_reverse_client_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        ...

        Using this method, permit_mynetworks will match your local hosts before
        reject_unknown_reverse_client_hostname matches. First match wins, and
        you only have one class, so this solves your problem.

        --
        Stan
      • Tom Tucker
        Stan, Thanks for the response. This does work, however these clients are also able to send to domains outside my environment. Let me try to clarify my
        Message 3 of 10 , Jan 23, 2013
        • 0 Attachment

          Stan,
          Thanks for the response.  This does work, however these clients are also able to send to domains outside my environment.  Let me try to clarify my scenario.

          Client: With PTR record = Full relay (internal & external domains)
          Client: No PTR record   = Relay for internal domains only

          Is it possible to configure Postfix to support this type configuration?






          On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <stan@...> wrote:
          On 1/22/2013 8:52 PM, Tom Tucker wrote:
          > I am struggling with a configuration that might be impossible.  Hopefully
          > the list can help guide me.
          >
          > I want to allow internal systems the ability to relay emails to my domains
          > even though they might get caught with
          > 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure
          > how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions
          > to support such.
          >
          >
          > Current non-working configuration for this scenario
          > ------------------------------------------------------------------------
          > smtpd_sender_restrictions = permit_mynetworks,
          > reject_unknown_sender_domain, reject_non_fqdn_sender
          >
          > smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname,
          > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
          > reject_unauth_destination, reject_non_fqdn_recipient,
          > reject_unknown_recipient_domain, reject_unverified_recipient

          Don't specify the separate restriction classes.  Put everything under
          smtpd_recipient_restrictions.  This way you can manipulate the precise
          order of your restrictions.  Remember, "first match wins".  If you
          specify them separately you must put all permit actions at the start of
          each class section.  Ergo each would need to start each with
          "permit_mynetworks".  Here's an example of the EURR method.  There is no
          client, sender, or helo restriction section, only this:

          smtpd_recipient_restrictions =
                  permit_mynetworks
                  reject_unauth_destination
                  reject_unknown_reverse_client_hostname
                  reject_non_fqdn_sender
                  reject_non_fqdn_helo_hostname
                  reject_invalid_helo_hostname
                  reject_unknown_helo_hostname
                  reject_unlisted_recipient
                  ...

          Using this method, permit_mynetworks will match your local hosts before
          reject_unknown_reverse_client_hostname matches.  First match wins, and
          you only have one class, so this solves your problem.

          --
          Stan





        • Tom Tucker
          I think I got it. The ordering is critical. Thanks smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/relay_domains # This will allow
          Message 4 of 10 , Jan 23, 2013
          • 0 Attachment

            I think I got it.  The ordering is critical.  Thanks


            smtpd_recipient_restrictions =
                    check_recipient_access hash:/etc/postfix/relay_domains  # This will allow clients missing PTR records the ability to relay locally
                    reject_unknown_reverse_client_hostname   # Reject all other clients missing PTR records from sending externally
                    reject_unknown_recipient_domain
                    reject_non_fqdn_sender
                    reject_non_fqdn_helo_hostname
                    reject_invalid_helo_hostname
                    reject_unknown_helo_hostname
                    reject_unlisted_recipient
                    permit_mynetworks  # Permit all other mail traffic both internally and externally
                    reject_unauth_destination


            /etc/postfix/relay_domains
            mydomain.com        OK



            On Wed, Jan 23, 2013 at 11:21 AM, Tom Tucker <tktucker@...> wrote:

            Stan,
            Thanks for the response.  This does work, however these clients are also able to send to domains outside my environment.  Let me try to clarify my scenario.

            Client: With PTR record = Full relay (internal & external domains)
            Client: No PTR record   = Relay for internal domains only

            Is it possible to configure Postfix to support this type configuration?






            On Wed, Jan 23, 2013 at 5:38 AM, Stan Hoeppner <stan@...> wrote:
            On 1/22/2013 8:52 PM, Tom Tucker wrote:
            > I am struggling with a configuration that might be impossible.  Hopefully
            > the list can help guide me.
            >
            > I want to allow internal systems the ability to relay emails to my domains
            > even though they might get caught with
            > 'reject_unknown_reverse_client_hostname'.  Possible?   If yes, I am unsure
            > how to configure smtpd_sender_restrictions and smtpd_recipient_restrictions
            > to support such.
            >
            >
            > Current non-working configuration for this scenario
            > ------------------------------------------------------------------------
            > smtpd_sender_restrictions = permit_mynetworks,
            > reject_unknown_sender_domain, reject_non_fqdn_sender
            >
            > smtpd_recipient_restrictions =  reject_unknown_reverse_client_hostname,
            > reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname,
            > reject_unauth_destination, reject_non_fqdn_recipient,
            > reject_unknown_recipient_domain, reject_unverified_recipient

            Don't specify the separate restriction classes.  Put everything under
            smtpd_recipient_restrictions.  This way you can manipulate the precise
            order of your restrictions.  Remember, "first match wins".  If you
            specify them separately you must put all permit actions at the start of
            each class section.  Ergo each would need to start each with
            "permit_mynetworks".  Here's an example of the EURR method.  There is no
            client, sender, or helo restriction section, only this:

            smtpd_recipient_restrictions =
                    permit_mynetworks
                    reject_unauth_destination
                    reject_unknown_reverse_client_hostname
                    reject_non_fqdn_sender
                    reject_non_fqdn_helo_hostname
                    reject_invalid_helo_hostname
                    reject_unknown_helo_hostname
                    reject_unlisted_recipient
                    ...

            Using this method, permit_mynetworks will match your local hosts before
            reject_unknown_reverse_client_hostname matches.  First match wins, and
            you only have one class, so this solves your problem.

            --
            Stan






          • Noel Jones
            ... Apparently you want to use the existence of PTR in your local networks to determine if the client can relay. If the authorized clients with PTR also have a
            Message 5 of 10 , Jan 23, 2013
            • 0 Attachment
              On 1/23/2013 10:21 AM, Tom Tucker wrote:
              >
              > Stan,
              > Thanks for the response. This does work, however these clients are
              > also able to send to domains outside my environment. Let me try to
              > clarify my scenario.
              >
              > Client: With PTR record = Full relay (internal & external domains)
              > Client: No PTR record = Relay for internal domains only
              >
              > Is it possible to configure Postfix to support this type configuration?
              >
              >


              Apparently you want to use the existence of PTR in your local
              networks to determine if the client can relay.

              If the authorized clients with PTR also have a matching A record so
              that postfix logs them eg. "host.example.com", you can use something
              like:

              # client_relay
              example.com OK


              # main.cf
              1 smtpd_recipient_restrictions =
              2 check_client_access hash:/etc/postfix/client_relay
              3 reject_unauth_destination
              4 permit_mynetworks
              ... other UCE controls ...


              Line 2 grants relay access to clients that have FCrDNS in your
              domain "example.com"

              Line 3 denies relay access to anyone else

              Line 4 allows all clients in $mynetworks to send local mail prior to
              your UCE restrictions.
            • Noel Jones
              ... The above disables all your UCE controls. -- Noel Jones
              Message 6 of 10 , Jan 23, 2013
              • 0 Attachment
                On 1/23/2013 12:30 PM, Tom Tucker wrote:
                >
                > I think I got it. The ordering is critical. Thanks
                >
                >
                > smtpd_recipient_restrictions =
                > check_recipient_access hash:/etc/postfix/relay_domains #
                > This will allow clients missing PTR records the ability to relay locally
                > reject_unknown_reverse_client_hostname # Reject all other
                > clients missing PTR records from sending externally
                > reject_unknown_recipient_domain
                > reject_non_fqdn_sender
                > reject_non_fqdn_helo_hostname
                > reject_invalid_helo_hostname
                > reject_unknown_helo_hostname
                > reject_unlisted_recipient
                > permit_mynetworks # Permit all other mail traffic both
                > internally and externally
                > reject_unauth_destination
                >
                >
                > /etc/postfix/relay_domains
                > mydomain.com <http://mydomain.com> OK
                > myotherdomain.com <http://myotherdomain.com> OK



                The above disables all your UCE controls.






                -- Noel Jones
              • Tom Tucker
                ... Not exactly, clients with a valid PTR should be allowed to relay regardless of the destination. Clients without a PTR will be restricted to internal
                Message 7 of 10 , Jan 23, 2013
                • 0 Attachment
                  On Wed, Jan 23, 2013 at 1:31 PM, Noel Jones <njones@...> wrote:
                  On 1/23/2013 10:21 AM, Tom Tucker wrote:
                  >
                  > Stan,
                  > Thanks for the response.  This does work, however these clients are
                  > also able to send to domains outside my environment.  Let me try to
                  > clarify my scenario.
                  >
                  > Client: With PTR record = Full relay (internal & external domains)
                  > Client: No PTR record   = Relay for internal domains only
                  >
                  > Is it possible to configure Postfix to support this type configuration?
                  >
                  >


                  Apparently you want to use the existence of PTR in your local
                  networks to determine if the client can relay.

                  If the authorized clients with PTR also have a matching A record so
                  that postfix logs them eg. "host.example.com", you can use something
                  like:

                  Not exactly, clients with a valid PTR should be allowed to relay regardless of the destination.  Clients without a PTR will be restricted to internal delivery only.   I guess I should have mentioned earlier.  These Postfix relays do NOT receive emails from the Internet.  The majority of the mail traffic they process is from the web environment  to our various external customers.


                  You mentioned that...."The above disables all your UCE controls."  You say this because of the order of the rules, right?

                  I'm still wrapping my head around this, but this config seems to be working.  Again, I welcome any comments you might have.

                  smtpd_recipient_restrictions =
                          check_recipient_access hash:/etc/postfix/relay_domains
                          reject_unknown_reverse_client_hostname
                          reject_unknown_recipient_domain
                          reject_non_fqdn_sender
                          reject_non_fqdn_helo_hostname
                          reject_invalid_helo_hostname
                          reject_unknown_helo_hostname
                          reject_unlisted_recipient
                          check_relay_domains


                  # client_relay
                  example.com  OK


                  # main.cf
                  1 smtpd_recipient_restrictions =
                  2   check_client_access hash:/etc/postfix/client_relay
                  3   reject_unauth_destination
                  4   permit_mynetworks
                      ... other UCE controls ...


                  Line 2 grants relay access to clients that have FCrDNS in your
                  domain "example.com"

                  Line 3 denies relay access to anyone else

                  Line 4 allows all clients in $mynetworks to send local mail prior to
                  your UCE restrictions.






                • Noel Jones
                  ... Your first rule is equivalent to permit_auth_destination. After that, the only mail left is either mail from unauthorized clients that you will reject
                  Message 8 of 10 , Jan 23, 2013
                  • 0 Attachment
                    On 1/23/2013 1:19 PM, Tom Tucker wrote:
                    > You mentioned that...."The above disables all your UCE controls."
                    > You say this because of the order of the rules, right?

                    Your first rule is equivalent to permit_auth_destination.

                    After that, the only mail left is either mail from unauthorized
                    clients that you will reject anyway, or mail from authorized clients
                    that you shouldn't reject.

                    >
                    > I'm still wrapping my head around this, but this config seems to be
                    > working. Again, I welcome any comments you might have.

                    If your postfix host doesn't receive mail from the internet, then
                    UCE controls are irrelevant, and you don't have to worry about
                    spoofed rDNS since all the clients are in mynetworks. So your
                    previous config is acceptable.

                    It's lots harder when we get details one at a time.




                    -- Noel Jones
                  • Jamie Paul Griffin
                    ... Wouldn t it be better to put $reject_unauth_destination closer to the top of the restriction class: i.e. after $check_recipient_access? and then
                    Message 9 of 10 , Jan 25, 2013
                    • 0 Attachment
                      * Noel Jones <njones@...> [2013-01-23 12:37:28 -0600]:

                      > On 1/23/2013 12:30 PM, Tom Tucker wrote:
                      > >
                      > > I think I got it. The ordering is critical. Thanks
                      > >
                      > >
                      > > smtpd_recipient_restrictions =
                      > > check_recipient_access hash:/etc/postfix/relay_domains #
                      > > This will allow clients missing PTR records the ability to relay locally
                      > > reject_unknown_reverse_client_hostname # Reject all other
                      > > clients missing PTR records from sending externally
                      > > reject_unknown_recipient_domain
                      > > reject_non_fqdn_sender
                      > > reject_non_fqdn_helo_hostname
                      > > reject_invalid_helo_hostname
                      > > reject_unknown_helo_hostname
                      > > reject_unlisted_recipient
                      > > permit_mynetworks # Permit all other mail traffic both
                      > > internally and externally
                      > > reject_unauth_destination
                      > >
                      > >
                      > > /etc/postfix/relay_domains
                      > > mydomain.com <http://mydomain.com> OK
                      > > myotherdomain.com <http://myotherdomain.com> OK
                      >
                      >
                      >
                      > The above disables all your UCE controls.

                      Wouldn't it be better to put $reject_unauth_destination closer to
                      the top of the restriction class: i.e. after $check_recipient_access?
                      and then $permit_mynetworks after that?

                      Like so:

                      smtpd_recipient_restrictions =
                      check_recipient_access hash:/etc/postfix/relay_domains,
                      reject_unauth_destination,
                      permit_mynetworks,
                      ...

                      Jamie
                    • Noel Jones
                      ... Generally yes. In this particular case -- a host not connected to the internet with very unusual requirements -- no, it works as intended already and that
                      Message 10 of 10 , Jan 25, 2013
                      • 0 Attachment
                        On 1/25/2013 4:29 AM, Jamie Paul Griffin wrote:
                        > * Noel Jones <njones@...> [2013-01-23 12:37:28 -0600]:
                        >
                        >> On 1/23/2013 12:30 PM, Tom Tucker wrote:
                        >>>
                        >>> I think I got it. The ordering is critical. Thanks
                        >>>
                        >>>
                        >>> smtpd_recipient_restrictions =
                        >>> check_recipient_access hash:/etc/postfix/relay_domains #
                        >>> This will allow clients missing PTR records the ability to relay locally
                        >>> reject_unknown_reverse_client_hostname # Reject all other
                        >>> clients missing PTR records from sending externally
                        >>> reject_unknown_recipient_domain
                        >>> reject_non_fqdn_sender
                        >>> reject_non_fqdn_helo_hostname
                        >>> reject_invalid_helo_hostname
                        >>> reject_unknown_helo_hostname
                        >>> reject_unlisted_recipient
                        >>> permit_mynetworks # Permit all other mail traffic both
                        >>> internally and externally
                        >>> reject_unauth_destination
                        >>>
                        >>>
                        >>> /etc/postfix/relay_domains
                        >>> mydomain.com <http://mydomain.com> OK
                        >>> myotherdomain.com <http://myotherdomain.com> OK
                        >>
                        >>
                        >>
                        >> The above disables all your UCE controls.
                        >
                        > Wouldn't it be better to put $reject_unauth_destination closer to
                        > the top of the restriction class: i.e. after $check_recipient_access?
                        > and then $permit_mynetworks after that?
                        >
                        > Like so:
                        >
                        > smtpd_recipient_restrictions =
                        > check_recipient_access hash:/etc/postfix/relay_domains,
                        > reject_unauth_destination,
                        > permit_mynetworks,
                        > ...
                        >
                        > Jamie
                        >


                        Generally yes.

                        In this particular case -- a host not connected to the internet with
                        very unusual requirements -- no, it works as intended already and
                        that change would "break" it.

                        This particular case could be simplified to:
                        permit_auth_destination
                        reject_unknown_reverse_client_hostname
                        permit_mynetworks
                        reject

                        This is not a useful example for 99%+ of users, except maybe as an
                        exercise in the importance of restriction order to meet specific
                        requirements.



                        -- Noel Jones
                      Your message has been successfully submitted and would be delivered to recipients shortly.