Loading ...
Sorry, an error occurred while loading the content.

allow some senders, but block everyone else

Expand Messages
  • Florin Andrei
    This is a clone of the production site, for QA and testing. This being QA, whenever we run a test of our software, we don t want our test suite to go ahead and
    Message 1 of 10 , Jul 22, 2013
    • 0 Attachment
      This is a clone of the production site, for QA and testing. This being
      QA, whenever we run a test of our software, we don't want our test suite
      to go ahead and blast the Internet with lots of random email messages.
      OTOH, we need to keep the configuration of the QA site as close to
      production as possible. Finally, a handful of very specific sender
      addresses must be allowed to go through QA.

      I've tried to achieve this with sender_dependent_default_transport_maps.
      The example below is redacted for privacy.

      # grep sender_dependent main.cf
      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport

      # head sender_transport
      johndoe@... smtp:
      jillsmith@... smtp:
      * local:

      But it doesn't seem to work very well. E.g., slight variations of
      permitted email addresses do seem to get through, whereas completely
      random emails appear to be blocked. I'm not sure what I'm doing wrong.

      --
      Florin Andrei
      http://florin.myip.org/
    • Wietse Venema
      ... As documented the syntax is NOT that of transport_maps. ... As documented the syntax is NOT that of transport_maps. Try using syntax that Postfix supports
      Message 2 of 10 , Jul 22, 2013
      • 0 Attachment
        Florin Andrei:
        > This is a clone of the production site, for QA and testing. This being
        > QA, whenever we run a test of our software, we don't want our test suite
        > to go ahead and blast the Internet with lots of random email messages.
        > OTOH, we need to keep the configuration of the QA site as close to
        > production as possible. Finally, a handful of very specific sender
        > addresses must be allowed to go through QA.
        >
        > I've tried to achieve this with sender_dependent_default_transport_maps.

        As documented the syntax is NOT that of transport_maps.

        > The example below is redacted for privacy.
        >
        > # grep sender_dependent main.cf
        > sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
        >
        > # head sender_transport
        > johndoe@... smtp:
        > jillsmith@... smtp:
        > * local:

        As documented the syntax is NOT that of transport_maps.

        Try using syntax that Postfix supports as documented.

        WSietse
        >
        > But it doesn't seem to work very well. E.g., slight variations of
        > permitted email addresses do seem to get through, whereas completely
        > random emails appear to be blocked. I'm not sure what I'm doing wrong.
        >
        > --
        > Florin Andrei
        > http://florin.myip.org/
        >
      • Florin Andrei
        Okay, let s try this: The goal is to send most emails to local, send most mydomain.com recipients to a relay nearby, and let foobardomain.com senders go out on
        Message 3 of 10 , Jul 22, 2013
        • 0 Attachment
          Okay, let's try this:

          The goal is to send most emails to local, send most mydomain.com
          recipients to a relay nearby, and let foobardomain.com senders go out on
          the Internet freely.

          In main.cf I have:

          sender_dependent_default_transport_maps =
          regexp:/etc/postfix/sender_transport

          In sender_transport I have:

          /@foobarDomain\.com$/ foobar:

          In master.cf I have:

          foobar unix - - n - - smtp
          -o transport_maps=hash:/etc/postfix/transport_foobar
          -o smtp_helo_name=foobardomain.com
          -o syslog_name=smtp-foobar

          transport_foobar is empty (but I run postmap on it anyway), I just use
          it to override the regular transport file, which is:

          * local:
          joe@... local:
          jim@... local:
          mydomain.com :[relay.mydomain.local]

          However, I can't seem to even reach the foobar transport I created in
          master.cf. I am watching syslog and, while seding from @...
          to a completely unrelated address out there, I don't see any mention of
          smtp-foobar in syslog.

          Again, I am clearly doing something wrong, I know that, I just don't
          know what exactly. Please enlighten me.

          Thank you.

          --
          Florin Andrei
          http://florin.myip.org/
        • Wietse Venema
          ... Presumably, if foobardomain.com senders send mail to local or mydomain.com recipients, then that mail should also not go to the Internet. In that case, set
          Message 4 of 10 , Jul 22, 2013
          • 0 Attachment
            Florin Andrei:
            > Okay, let's try this:
            >
            > The goal is to send most emails to local, send most mydomain.com
            > recipients to a relay nearby, and let foobardomain.com senders go out on
            > the Internet freely.

            Presumably, if foobardomain.com senders send mail to local or
            mydomain.com recipients, then that mail should also not go to the
            Internet.

            In that case, set sender_dependent_default_transport_maps so that
            all senders resolve to the error transport except for a few.

            /etc/postfix/main.cf:
            # Override default_transport NOT transport_maps.
            sender_dependent_default_transport_maps = pcre:/etc/postfix/sender_pcre

            /etc/postfix/sender_pcre:
            if !/@foobardomain\.com$/
            /./ error:5.7.1 Sorry, you can't send mail to that destination
            endif

            Then specify explicit transport:nexthop entries for local and
            mydomain.com mail using main.cf:transport_maps.

            This is all from memory.

            Wietse
          • Florin Andrei
            ... No, it s the other way round. foobardomain.com will typically send emails to addresses unrelated to mydomain.com or local accounts. Here s the complete
            Message 5 of 10 , Jul 22, 2013
            • 0 Attachment
              On 07/22/2013 05:30 PM, Wietse Venema wrote:
              > Florin Andrei:
              >>
              >> The goal is to send most emails to local, send most mydomain.com
              >> recipients to a relay nearby, and let foobardomain.com senders go out on
              >> the Internet freely.
              >
              > Presumably, if foobardomain.com senders send mail to local or
              > mydomain.com recipients, then that mail should also not go to the
              > Internet.

              No, it's the other way round. foobardomain.com will typically send
              emails to addresses unrelated to mydomain.com or local accounts.

              Here's the complete logic (I should have spelled it out from the beginning):

              1. If sender is @... then let them do anything, send email
              anywhere they want. For these senders, this should be a bare-bones
              relay, no special rules, with the relay behavior only controlled by
              $mynetworks.

              2. If the above is not matched, then: For a few @...
              recipients, emails should be sent to local. All other @...
              recipients should be stuffed into a specific relay.

              3. Everything else not caught by the above is sent to local.

              I believe #2 and #3 are taken care of by the following transport:

              joe@... local:
              jim@... local:
              mydomain.com :[relay.mydomain.com]
              * local:

              The part I'm having trouble with is #1.

              Does your advice below still stand?

              > In that case, set sender_dependent_default_transport_maps so that
              > all senders resolve to the error transport except for a few.
              >
              > /etc/postfix/main.cf:
              > # Override default_transport NOT transport_maps.
              > sender_dependent_default_transport_maps = pcre:/etc/postfix/sender_pcre
              >
              > /etc/postfix/sender_pcre:
              > if !/@foobardomain\.com$/
              > /./ error:5.7.1 Sorry, you can't send mail to that destination
              > endif
              >
              > Then specify explicit transport:nexthop entries for local and
              > mydomain.com mail using main.cf:transport_maps.
              >
              > This is all from memory.
              >
              > Wietse
              >


              --
              Florin Andrei
              http://florin.myip.org/
            • Wietse Venema
              ... Yes, you should have. Although Postfix support is free, that doesn t mean that you can waste it as if it is in unlimited supply. Wietse
              Message 6 of 10 , Jul 22, 2013
              • 0 Attachment
                Florin Andrei:
                > On 07/22/2013 05:30 PM, Wietse Venema wrote:
                > > Florin Andrei:
                > >>
                > >> The goal is to send most emails to local, send most mydomain.com
                > >> recipients to a relay nearby, and let foobardomain.com senders go out on
                > >> the Internet freely.
                > >
                > > Presumably, if foobardomain.com senders send mail to local or
                > > mydomain.com recipients, then that mail should also not go to the
                > > Internet.
                >
                > No, it's the other way round. foobardomain.com will typically send
                > emails to addresses unrelated to mydomain.com or local accounts.
                >
                > Here's the complete logic (I should have spelled it out from the beginning):

                Yes, you should have. Although Postfix support is free, that doesn't
                mean that you can waste it as if it is in unlimited supply.

                Wietse
              • Florin Andrei
                I apologize for not being more specific at the beginning. I appreciate the fact that support is offered here freely for everyone, it s a great help. I am
                Message 7 of 10 , Jul 23, 2013
                • 0 Attachment
                  I apologize for not being more specific at the beginning. I appreciate
                  the fact that support is offered here freely for everyone, it's a great
                  help.

                  I am getting the impression that it's not possible to make routing
                  decisions based on sender *before* making decisions based on recipient.
                  AFAICT, the transport table will override my
                  sender_dependent_default_transport_maps stuff no matter what.

                  Is there a way to achieve sender-based routing before any
                  recipient-based decision is made?

                  --
                  Florin Andrei
                  http://florin.myip.org/
                • DTNX Postmaster
                  ... IIRC, you wanted to do this complicated thing to avoid spamming the Internet at large when you run your test suite? Would changing your test suite so it
                  Message 8 of 10 , Jul 23, 2013
                  • 0 Attachment
                    On Jul 23, 2013, at 22:25, Florin Andrei <florin@...> wrote:

                    > I apologize for not being more specific at the beginning. I appreciate the fact that support is offered here freely for everyone, it's a great help.
                    >
                    > I am getting the impression that it's not possible to make routing decisions based on sender *before* making decisions based on recipient. AFAICT, the transport table will override my sender_dependent_default_transport_maps stuff no matter what.
                    >
                    > Is there a way to achieve sender-based routing before any recipient-based decision is made?

                    IIRC, you wanted to do this complicated thing to avoid spamming the
                    Internet at large when you run your test suite?

                    Would changing your test suite so it does not spam be the better
                    option, and deliver more reliable results? As in, send only to your
                    test accounts on Gmail, Hotmail, Yahoo! Mail and whatnot in limited
                    amounts, or to an external VPS or something similar that you spin up
                    for this purpose?

                    Mvg,
                    Joni
                  • Wietse Venema
                    ... As documented under sender_dependent_default_transport_maps, This information is overruled with the transport(5) table . That is why my example used
                    Message 9 of 10 , Jul 23, 2013
                    • 0 Attachment
                      Florin Andrei:
                      > I apologize for not being more specific at the beginning. I appreciate
                      > the fact that support is offered here freely for everyone, it's a great
                      > help.
                      >
                      > I am getting the impression that it's not possible to make routing
                      > decisions based on sender *before* making decisions based on recipient.
                      > AFAICT, the transport table will override my
                      > sender_dependent_default_transport_maps stuff no matter what.

                      As documented under sender_dependent_default_transport_maps,
                      "This information is overruled with the transport(5) table".

                      That is why my example used sender_dependent_default_transport_maps
                      to bounce external mail from users who aren't permitted to send to
                      non-local destinations, and used transport_maps to override the
                      error: destination for local domains so that they would not bounce.

                      I spent some 15 minutes researching that solution based on the then
                      current version of your problem description, and that is all the
                      time that I will put into this thread.

                      Wietse
                    • Florin Andrei
                      I solved my routing problem... by switching to Exim. :) Arbitrary routing decisions can be implemented by simply daisy-chaining routers in a config file. It s
                      Message 10 of 10 , Jul 25, 2013
                      • 0 Attachment
                        I solved my routing problem... by switching to Exim. :)

                        Arbitrary routing decisions can be implemented by simply daisy-chaining
                        routers in a config file. It's actually surprising how easy it is to
                        read the whole logic at once just by glancing at one file. Almost like
                        pseudo-code.

                        Their users list was also very helpful, and the overall tone of the
                        discussion was friendly and non-dismissive towards this complete Exim
                        newbie. That was a pretty stark contrast.

                        I've been using Postfix for over a decade now, and I thought I could do
                        anything with it (provided that enough research and tests are
                        performed), but I was amazed how much easier it was to solve a complex
                        problem like this with Exim.

                        --
                        Florin Andrei
                        http://florin.myip.org/
                      Your message has been successfully submitted and would be delivered to recipients shortly.