Loading ...
Sorry, an error occurred while loading the content.

Port based acl's ?

Expand Messages
  • Billy Blanco
    Hi folks, Does postfix support port based acl s? I m trying to set it up in a way to only allow postini connections over port 25 (apparently they won t
    Message 1 of 2 , Mar 24 7:44 PM
    • 0 Attachment
      Hi folks,

      Does postfix support 'port based' acl's?

      I'm trying to set it up in a way to only allow postini connections over port 25 (apparently they won't deliver over any other port), while having all other clients connect over port 465. Been combing the docs and haven't found anything useful yet.

      I know I could do something with iptables or on the network level, but kind of like the idea of postfix handling the rejects with a custom message returned back to the sender and a log entry made.

      If possible, examples would be great.

      Thanks

      Ryan
    • /dev/rob0
      ... SMTPS (SMTP over SSL) is deprecated and not recommended. Submission should be done on 587 (submission) using TLS and SASL. ...
      Message 2 of 2 , Mar 24 8:02 PM
      • 0 Attachment
        On Mon, Mar 25, 2013 at 02:44:57AM +0000, Billy Blanco wrote:
        > Does postfix support 'port based' acl's?
        >
        > I'm trying to set it up in a way to only allow postini connections
        > over port 25 (apparently they won't deliver over any other port),
        > while having all other clients connect over port 465.

        SMTPS (SMTP over SSL) is deprecated and not recommended. Submission
        should be done on 587 (submission) using TLS and SASL.

        > Been combing the docs and haven't found anything useful yet.

        http://www.postfix.org/SMTPD_ACCESS_README.html
        http://www.postfix.org/postconf.5.html#check_client_access
        http://www.postfix.org/access.5.html

        > I know I could do something with iptables or on the network level,
        > but kind of like the idea of postfix handling the rejects with a
        > custom message returned back to the sender and a log entry made.
        >
        > If possible, examples would be great.

        main.cf :

        smtpd_recipient_restrictions = reject_unauth_destination,
        check_client_access cidr:/etc/postfix/postini.cidr, reject
        # Doing the Postfix 2.10.x copout, sorry. Read the 2.10 release
        # notes if you're using 2.10.x and want to use this new feature.
        smtpd_relay_restrictions =
        submission_recipient_restrictions = permit_sasl_authenticated,
        permit_mynetworks, reject

        master.cf (under each smtpd for smtps and submission):
        -o smtpd_recipient_restrictions=$submission_recipient_restrictions

        postini.cidr :

        # List all Postini outbound relays as a CIDR expression or as single
        # IP addresses without the /xx
        ip.add.re.ss/xx permit_auth_destination
        other.add.re.ss/xx permit_auth_destination
        0.0.0.0/0 reject This host is not MX for example.com, go away.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.