Loading ...
Sorry, an error occurred while loading the content.
 

permit ip, reject domain

Expand Messages
  • Feel Zhou
    Hello, My friend This is Tom, I m sending my greeting from China I Use postfix for few month, My customer send mail via my mail server, So, some IP is in
    Message 1 of 12 , May 30, 2013
      Hello, My friend

      This is Tom, I'm sending my greeting from China
      I Use postfix for few month, My customer send mail via my mail server, So, some IP is in mynetworks setting. for example, my_customer_server_ip is permit send mail via my server But there is something serious with my postfix server

      The correct log is just like that
      May 30 08:09:01   [my_customer_server_ip] [my_customer_client_ip] <user@...> -> <someone@...>,

      The wrong log is just like that,(hotmail.com, yahoo.com is the example)
      May 29 18:05:35 , [my_customer_server_ip] [other_ip] <anyone@...> -> <someone@...>,
      May 29 16:05:37 , [my_customer_server_ip] [other_ip] <anyone@...> -> <someone@...>,

      anyone@..., anyone@..., etc. maybe real address in the internet mail system, but it's not a real mail account in my customer's mail system.

      My purpose is permit my_customer_ip send mail via my mail server, only permit my customer domain address send mail, reject any other domain send mail via my_customer_ip, how can I setting in my postfix.

      Thanks a lot
      Tom

    • Mikael Bak
      On 05/30/2013 01:39 PM, Feel Zhou wrote: [snip] ... Hi Tom, I think you can do this with postfix restriction classes:
      Message 2 of 12 , May 30, 2013
        On 05/30/2013 01:39 PM, Feel Zhou wrote:
        [snip]
        >
        > My purpose is permit my_customer_ip send mail via my mail server, only
        > permit my customer domain address send mail, reject any other domain
        > send mail via my_customer_ip, how can I setting in my postfix.
        >
        > Thanks a lot
        > Tom
        >

        Hi Tom,

        I think you can do this with postfix restriction classes:
        http://www.postfix.org/RESTRICTION_CLASS_README.html

        HTH,
        Mikael
      • Feel Zhou
        Thanks,Mikael I don t think that document is good to fix this problem I want sender address match my customer s domain name If not match ,mean that sender
        Message 3 of 12 , May 30, 2013
          Thanks,Mikael
          I don't think that document is good to fix this problem
          I want sender address match my customer's domain name
          If not match ,mean that sender address was fake
          Thanks for your help
          Tom


          2013/5/30 Mikael Bak <mbak@...>
          On 05/30/2013 01:39 PM, Feel Zhou wrote:
          [snip]
          >
          > My purpose is permit my_customer_ip send mail via my mail server, only
          > permit my customer domain address send mail, reject any other domain
          > send mail via my_customer_ip, how can I setting in my postfix.
          >
          > Thanks a lot
          > Tom
          >

          Hi Tom,

          I think you can do this with postfix restriction classes:
          http://www.postfix.org/RESTRICTION_CLASS_README.html

          HTH,
          Mikael


        • Noel Jones
          ... [please don t top-post, please post plain-text only. thanks.] Yes, restriction classes are the solution. First use a check_client_access map to see if the
          Message 4 of 12 , May 30, 2013
            On 5/30/2013 6:39 AM, Feel Zhou wrote:
            > Hello, My friend
            >
            > This is Tom, I'm sending my greeting from China
            > I Use postfix for few month, My customer send mail via my mail
            > server, So, some IP is in mynetworks setting. for example,
            > my_customer_server_ip is permit send mail via my server But there is
            > something serious with my postfix server
            >
            > The correct log is just like that
            > May 30 08:09:01 [my_customer_server_ip] [my_customer_client_ip]
            > <user@...> -> <someone@...
            > <mailto:someone@...>>,
            >
            > The wrong log is just like that,(hotmail.com <http://hotmail.com>,
            > yahoo.com <http://yahoo.com> is the example)
            > May 29 18:05:35 , [my_customer_server_ip] [other_ip]
            > <anyone@... <mailto:anyone@...>> ->
            > <someone@... <mailto:someone@...>>,
            > May 29 16:05:37 , [my_customer_server_ip] [other_ip]
            > <anyone@... <mailto:anyone@...>> -> <someone@...
            > <mailto:someone@...>>,
            >
            > anyone@... <mailto:anyone@...>, anyone@...
            > <mailto:anyone@...>, etc. maybe real address in the internet
            > mail system, but it's not a real mail account in my customer's mail
            > system.
            >
            > My purpose is permit my_customer_ip send mail via my mail server,
            > only permit my customer domain address send mail, reject any other
            > domain send mail via my_customer_ip, how can I setting in my postfix.
            >
            > Thanks a lot
            > Tom
            >

            [please don't top-post, please post plain-text only. thanks.]

            Yes, restriction classes are the solution. First use a
            check_client_access map to see if the IP matches one of your
            clients, chain that to a check_sender_access map that only allows
            the proper sender domain. General instructions are here:
            http://www.postfix.org/RESTRICTION_CLASS_README.html
            adapt the examples to your use.

            Alternately, you could use a policy service such as postfwd.
            http://www.postfix.org/SMTPD_POLICY_README.html
            http://postfwd.org/

            In any case, the check must be done in smtpd_sender_restrictions to
            prevent open relay accidents, and before permit_mynetworks.



            -- Noel Jones
          • Peter
            ... Hi Tom, This is a bad idea, it is very easy for a spammer to spoof your customer s sender domain in order to relay mail through your server and then your
            Message 5 of 12 , May 30, 2013
              On 05/31/2013 03:50 AM, Feel Zhou wrote:
              > I don't think that document is good to fix this problem
              > I want sender address match my customer's domain name
              > If not match ,mean that sender address was fake

              Hi Tom,

              This is a bad idea, it is very easy for a spammer to spoof your
              customer's sender domain in order to relay mail through your server and
              then your server becomes not much better than an open relay.

              You should look into SASL AUTH, this is a much better way for your
              customers to authenticate to your server for relaying:
              http://www.postfix.org/SASL_README.html


              Peter
            • Noel Jones
              ... No, the client is already authorized by IP. Adding a sender domain check is an additional restriction. This is also a simple some trusted IP is sending
              Message 6 of 12 , May 30, 2013
                On 5/30/2013 6:21 PM, Peter wrote:
                > On 05/31/2013 03:50 AM, Feel Zhou wrote:
                >> I don't think that document is good to fix this problem
                >> I want sender address match my customer's domain name
                >> If not match ,mean that sender address was fake
                >
                > Hi Tom,
                >
                > This is a bad idea, it is very easy for a spammer to spoof your
                > customer's sender domain in order to relay mail through your server
                > and then your server becomes not much better than an open relay.

                No, the client is already authorized by IP. Adding a sender domain
                check is an additional restriction. This is also a simple "some
                trusted IP is sending a bunch of crap" trigger.

                >
                > You should look into SASL AUTH, this is a much better way for your
                > customers to authenticate to your server for relaying:
                > http://www.postfix.org/SASL_README.html

                Good advice, but SASL is not always possible or practical. And
                solving this with SASL involves reject_sender_login_mismatch, which
                brings its own complications.


                >
                >
                > Peter



                -- Noel Jones
              • Peter
                ... This is all based on an interpretation of the OPs original broken English posts, though. What I was seeing was something akin to, I need to prevent
                Message 7 of 12 , May 30, 2013
                  On 05/31/2013 12:34 PM, Noel Jones wrote:
                  > No, the client is already authorized by IP. Adding a sender domain
                  > check is an additional restriction. This is also a simple "some
                  > trusted IP is sending a bunch of crap" trigger.
                  >
                  > Good advice, but SASL is not always possible or practical. And
                  > solving this with SASL involves reject_sender_login_mismatch, which
                  > brings its own complications.

                  This is all based on an interpretation of the OPs original broken
                  English posts, though. What I was seeing was something akin to, "I need
                  to prevent spammers from using my server as a relay, so I'm going to
                  stop anyone who doesn't have an authorized domain in the envelope
                  sender." You probably noticed something I didn't in his posts, though.


                  Peter
                • Feel Zhou
                  Thanks for all I have read the document http://www.postfix.org/RESTRICTION_CLASS_README.html Maybe it s not what I need to setting. I don t have internal email
                  Message 8 of 12 , Jun 6, 2013
                    Thanks for all
                    I have read the document  http://www.postfix.org/RESTRICTION_CLASS_README.html
                    Maybe it's not what I need to setting. I don't have internal email distribution list, so do not need to protect it. And I don't want to restrict any user send mail to off-site destinations.

                    My customer have the mail system, they send mail via my postfix server.
                    /etc/postfix/main.cf
                            mynetworks = hash:/etc/postfix/mynetworks_table
                    /etc/postfix/mynetworks_table
                            IP    PERMIT

                    IP is my customer's IP, and they have two domain: customer.domain1, customer.domain2  My mail system only want these two domain send mail via my postfix mail system but not any other domain. It's mean only two domains in this IP can send mail via my server, other domains will be reject by my server

                    How can I set in main.cf
                    Thanks for your time

                    TOM


                    2013/5/31 Peter <peter@...>
                    On 05/31/2013 12:34 PM, Noel Jones wrote:
                    No, the client is already authorized by IP.  Adding a sender domain
                    check is an additional restriction.  This is also a simple "some
                    trusted IP is sending a bunch of crap" trigger.

                    Good advice, but SASL is not always possible or practical. And
                    solving this with SASL involves reject_sender_login_mismatch, which
                    brings its own complications.

                    This is all based on an interpretation of the OPs original broken English posts, though.  What I was seeing was something akin to, "I need to prevent spammers from using my server as a relay, so I'm going to stop anyone who doesn't have an authorized domain in the envelope sender."  You probably noticed something I didn't in his posts, though.


                    Peter

                  • Noel Jones
                    ... Read it again, that s the right tool. If you study the examples, you ll notice they first check one property, then check another. That s exactly what you
                    Message 9 of 12 , Jun 6, 2013
                      On 6/6/2013 4:02 AM, Feel Zhou wrote:
                      > Thanks for all
                      > I have read the document
                      > http://www.postfix.org/RESTRICTION_CLASS_README.html
                      > Maybe it's not what I need to setting. I don't have internal email
                      > distribution list, so do not need to protect it. And I don't want to
                      > restrict any user send mail to off-site destinations.

                      Read it again, that's the right tool. If you study the examples,
                      you'll notice they first check one property, then check another.
                      That's exactly what you need.

                      You're supposed to use those examples to create your own rules that
                      first use a check_client_access map to see if the client is one of
                      your networks, then the result will be a restriction class that
                      calls a check_sender_access map.


                      Example:
                      192.168.100.0/24 must use @...
                      192.168.200.0/24 must use @...

                      # main.cf
                      smtpd_restriction_classes =
                      from_net_A
                      from_net_B

                      from_net_A =
                      check_sender_access hash:/etc/postfix/require_sender_A
                      reject

                      from_net_B =
                      check_sender_access hash:/etc/postfix/require_sender_B
                      reject

                      smtpd_sender_restrictions =
                      check_client_access cidr:/etc/postfix/enforce_networks.cidr

                      # enforce_networks.cidr
                      192.168.100.0/24 from_net_A
                      192.168.200.0/24 from_net_B

                      # require_sender_A
                      A.example.com OK

                      # require_sender_B
                      B.example.com OK




                      -- Noel Jones
                    • Feel Zhou
                      Thanks Noel one more thing, How to setting one IP bind two or three domain Thanks a lot 2013/6/6 Noel Jones
                      Message 10 of 12 , Jun 6, 2013
                        Thanks Noel

                        one more thing, How to setting one IP bind two or three domain

                        Thanks a lot


                        2013/6/6 Noel Jones <njones@...>
                        On 6/6/2013 4:02 AM, Feel Zhou wrote:
                        > Thanks for all
                        > I have read the document
                        > http://www.postfix.org/RESTRICTION_CLASS_README.html
                        > Maybe it's not what I need to setting. I don't have internal email
                        > distribution list, so do not need to protect it. And I don't want to
                        > restrict any user send mail to off-site destinations.

                        Read it again, that's the right tool.  If you study the examples,
                        you'll notice they first check one property, then check another.
                        That's exactly what you need.

                        You're supposed to use those examples to create your own rules that
                        first use a check_client_access map to see if the client is one of
                        your networks, then the result will be a restriction class that
                        calls a check_sender_access map.


                        Example:
                        192.168.100.0/24 must use  @A.example.com
                        192.168.200.0/24 must use @B.example.com

                        # main.cf
                        smtpd_restriction_classes =
                           from_net_A
                           from_net_B

                        from_net_A =
                          check_sender_access hash:/etc/postfix/require_sender_A
                          reject

                        from_net_B =
                          check_sender_access hash:/etc/postfix/require_sender_B
                          reject

                        smtpd_sender_restrictions =
                          check_client_access cidr:/etc/postfix/enforce_networks.cidr

                        # enforce_networks.cidr
                        192.168.100.0/24  from_net_A
                        192.168.200.0/24  from_net_B

                        # require_sender_A
                        A.example.com  OK

                        # require_sender_B
                        B.example.com  OK




                          -- Noel Jones

                      • Noel Jones
                        ... C.example.com OK -- Noel Jones
                        Message 11 of 12 , Jun 7, 2013
                          On 6/6/2013 9:36 PM, Feel Zhou wrote:
                          > Thanks Noel
                          >
                          > one more thing, How to setting one IP bind two or three domain
                          >
                          > Thanks a lot
                          >
                          >
                          ...
                          >
                          > # require_sender_A
                          > A.example.com <http://A.example.com> OK
                          C.example.com OK





                          -- Noel Jones
                        • Feel Zhou
                          Thanks for Noel Jones About ip match domain , It s working now. /etc/postfix/main.cf smtpd_sender_restrictions = check_client_access
                          Message 12 of 12 , Jul 8 8:30 PM
                            Thanks for Noel Jones
                            About "ip match domain", It's working now.

                            /etc/postfix/main.cf
                                smtpd_sender_restrictions =
                                    check_client_access cidr:/etc/postfix/enforce_ip_match_domain
                                smtpd_restriction_classes =
                                    example
                                example = check_sender_access hash:/etc/postfix/example.domain
                                    reject
                            /etc/postfix/enforce_ip_match_domain
                                IP    example
                            /etc/postfix/example.domain
                                example.com    OK

                            I have another restrictions, It's working before

                            /etc/postfix/main.cf
                                smtpd_sender_restrictions =
                                    check_sender_access hash:/etc/postfix/sender_reject_addr_check
                            /etc/postfix/sender_reject_addr_check
                                baduser@... REJECT

                            After I set "ip match domain" restrictions , "badsender" restrictions do not working
                            How can I let both restrictions working together
                            Thanks a lot



                            2013/6/7 Noel Jones <njones@...>
                            On 6/6/2013 9:36 PM, Feel Zhou wrote:
                            > Thanks Noel
                            >
                            > one more thing, How to setting one IP bind two or three domain
                            >
                            > Thanks a lot
                            >
                            >
                            ...
                            >
                            >     # require_sender_A
                            >     A.example.com <http://A.example.com>  OK
                               C.example.com OK





                              -- Noel Jones

                          Your message has been successfully submitted and would be delivered to recipients shortly.