Loading ...
Sorry, an error occurred while loading the content.

restricting few users from sending mails outside domain (mymailsystem.com)

Expand Messages
  • virtualpostfix
    Hi, I am trying to block few / selected users from sending mails outside of domain where as other users should be allowed to send mails anywhere. I have
    Message 1 of 13 , Oct 8, 2013
    • 0 Attachment
      Hi,

      I am trying to block few / selected users from sending mails outside of
      domain where as other users should be allowed to send mails anywhere. I have
      followed postfix official documentation of " Restricting what users can send
      mail to off-site destinations
      <http://www.postfix.org/RESTRICTION_CLASS_README.html> " but still postfix
      is somehow bypassing restriction rules/classes and users are still able to
      send mails to outside domain (gmail.com in this case). Can anyone please
      help me in setting this up?

      This is the snap from my main.cf :

      virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
      mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf
      virtual_gid_maps = static:89
      virtual_mailbox_base = /home/virtual_mail
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      virtual_mailbox_limit = 51200000
      virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 89
      virtual_transport = virtual
      virtual_uid_maps = static:89

      smtpd_restriction_classes = localonly
      localonly = check_recipient_access hash:/etc/postfix/localdomains, reject
      smtpd_sasl_auth_enable = yes
      smtpd_recipient_restrictions = check_sender_access
      hash:/etc/postfix/restricted_senders,permit_mynetworks,permit_sasl_authenticated,check_client_access
      mysql:/etc/postfix/mysql_popbsmtp_access_maps.cf,check_client_access
      hash:/etc/postfix/relay,reject_unauth_destination
      smtpd_sasl_path = private/auth
      smtpd_sasl_type = dovecot


      restricted_senders file :
      # cat restricted_senders
      suraj@... localonly

      locadomains file:
      # cat localdomains
      mymailsystem.local OK

      I already have postmapped restricted_senders and localdomains but still
      postfix is not applying restriction rules over sender.
      Let me know for required additional details.

      Thanks



      --
      View this message in context: http://postfix.1071664.n5.nabble.com/restricting-few-users-from-sending-mails-outside-domain-mymailsystem-com-tp61996.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • Dominik George
      ... Hash: SHA512 Hi, ... Are you using Postfix =2.10? If so, have you tried smtpd_relay_access? Cheers, Nik ... Version: APG v1.0.8-fdroid
      Message 2 of 13 , Oct 8, 2013
      • 0 Attachment
        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA512

        Hi,

        >smtpd_recipient_restrictions = check_sender_access

        Are you using Postfix >=2.10? If so, have you tried smtpd_relay_access?

        Cheers,
        Nik
        -----BEGIN PGP SIGNATURE-----
        Version: APG v1.0.8-fdroid

        iQFNBAEBCgA3BQJSU9BkMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
        a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJe0rCACZiUkFvXjwyNs1Z0Nh9mZA
        veCBa/H0a0PIPPz46thmK0V23YOecpCcV8+1GQ22mx/5gSSExSBSNGFvvGu9feoy
        REMKJuxIgcqMvuG3Ky1TgSWdtSCsy4YIJ7GxzYrNpngAx5myGvwX1/siYsnUqfNu
        ug4U8F9y8toCYcwLOse8OSb751tv6YyL8C2bhdcCDQo1jyj0d9Kn9p5xTE3FhjRz
        QovG3suuEr860yGyjvYHO2uDbioyaByo5PX0qgsUkktWDvUAYyF3sIjI5pmejoK3
        cHNV85D6EWWULR3jypUHYJ+Lzz3F4wP1bImCLQnjmkXjgmBdBr+9f80L0Rc5HE/Q
        =l1Hi
        -----END PGP SIGNATURE-----
      • Dominik George
        ... Hash: SHA512 ... smtpd_relay_restrictions, anyway. - -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. ... Version: APG
        Message 3 of 13 , Oct 8, 2013
        • 0 Attachment
          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA512



          Dominik George <nik@...> schrieb:
          >-----BEGIN PGP SIGNED MESSAGE-----
          >Hash: SHA512
          >
          >Hi,
          >
          >>smtpd_recipient_restrictions = check_sender_access
          >
          >Are you using Postfix >=2.10? If so, have you tried smtpd_relay_access?

          smtpd_relay_restrictions, anyway.
          - --
          Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
          -----BEGIN PGP SIGNATURE-----
          Version: APG v1.0.8-fdroid

          iQFNBAEBCgA3BQJSU9L6MBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
          a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJfp/CACm7AT1jPeggEKy2qV4jasS
          XzJZcWD8lvoLtipQxTUqHni/qm/TCjwqm4UYfTbfw85b/MivsKWZZaRJbphRG0c0
          +jyKCW2VSLcIePZ6rHMzmikk54XlSxvw3eo9Afvh95dMpO4/jK+DorbHdvuPEnMk
          3lQBRD3JSVXpGzYekigMhQ6R9Ze+S8yl5oCUyl6p6LFOmZCuvJXqfbXlivEqqRja
          iR2s+WDJUgRcjbVWJiYQU/2q6APBaB3F33asWcYjwHqQP2jb6hLbe9CoZ5NtE+dq
          suXeX8KjNhqAxuIoQpS3H85YbSkwOBfwFZ9nkZ7yj/oEDXmFYrwpARmckx3jfp6/
          =+887
          -----END PGP SIGNATURE-----
        • virtualpostfix
          Hi Nik, Thanks for quick reply, yes the postfix version is 2.6 : [root@posttestbox postfix]# postconf -d mail_version mail_version = 2.6.6 Here is how I tried
          Message 4 of 13 , Oct 8, 2013
          • 0 Attachment
            Hi Nik,

            Thanks for quick reply, yes the postfix version is 2.6 :

            [root@posttestbox postfix]# postconf -d mail_version
            mail_version = 2.6.6

            Here is how I tried the suggestion in main.cf :

            smtpd_relay_restrictions = localonly
            localonly = check_recipient_access hash:/etc/postfix/localdomains, reject
            smtpd_sasl_auth_enable = yes
            smtpd_recipient_restrictions = check_sender_access
            hash:/etc/postfix/restricted_senders,permit_mynetworks,permit_sasl_authenticated,check_client_access
            mysql:/etc/postfix/mysql_popbsmtp_access_maps.cf,check_client_access
            hash:/etc/postfix/relay,reject_unauth_destination
            smtpd_sasl_path = private/auth
            smtpd_sasl_type = dovecot


            But user is still able to send mails outside domain, here is current log
            happening (from postfix restart):

            Oct 8 23:38:03 posttestbox postfix/postfix-script[32074]: starting the
            Postfix mail system
            Oct 8 23:38:03 posttestbox postfix/master[32075]: daemon started -- version
            2.6.6, configuration /etc/postfix
            Oct 8 23:38:22 posttestbox postfix/pickup[32079]: 7C52E635C6: uid=48
            from=<suraj@...>
            Oct 8 23:38:22 posttestbox postfix/cleanup[32093]: 7C52E635C6:
            message-id=<8834f0da5847e89290d0bafe5c9d1668@...>
            Oct 8 23:38:22 posttestbox postfix/qmgr[32080]: 7C52E635C6:
            from=<suraj@...>, size=557, nrcpt=1 (queue active)
            Oct 8 23:38:25 posttestbox postfix/smtp[32102]: connect to
            gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a]:25: Network is
            unreachable
            Oct 8 23:38:27 posttestbox postfix/smtp[32102]: 7C52E635C6:
            to=<mygmailaccount@...>,
            relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=5.1,
            delays=0.15/0.01/3.5/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1381227533
            hb3si26717605pac.65 - gsmtp)
            Oct 8 23:38:27 posttestbox postfix/qmgr[32080]: 7C52E635C6: removed

            I am trying to use the suggestions in more possible ways but shared current
            status in case it helps.

            Thanks



            --
            View this message in context: http://postfix.1071664.n5.nabble.com/restricting-few-users-from-sending-mails-outside-domain-mymailsystem-com-tp61996p62002.html
            Sent from the Postfix Users mailing list archive at Nabble.com.
          • Charles Marcus
            ... ? 2.6 is NOT = 2.10 -- Best regards, */Charles/*
            Message 5 of 13 , Oct 8, 2013
            • 0 Attachment
              On 2013-10-08 6:27 AM, virtualpostfix <rathodsuraj1@...> wrote:
              [root@posttestbox postfix]# postconf -d mail_version
              mail_version = 2.6.6

              ?

              2.6 is NOT >= 2.10

              --

              Best regards,

              Charles
            • virtualpostfix
              ohh lol yes! right Charles. Uhh I guess this issue is taking away my head. Thanks Charles. -- View this message in context:
              Message 6 of 13 , Oct 8, 2013
              • 0 Attachment
                ohh lol yes! right Charles.

                Uhh I guess this issue is taking away my head.

                Thanks Charles.



                --
                View this message in context: http://postfix.1071664.n5.nabble.com/restricting-few-users-from-sending-mails-outside-domain-mymailsystem-com-tp61996p62005.html
                Sent from the Postfix Users mailing list archive at Nabble.com.
              • Noel Jones
                ... The postfix smtpd_*_restrictions only apply to mail submitted via SMTP. This message was submitted via the local sendmail(1) command by user 48. If this
                Message 7 of 13 , Oct 8, 2013
                • 0 Attachment
                  On 10/8/2013 5:27 AM, virtualpostfix wrote:
                  > Hi Nik,
                  >
                  > Thanks for quick reply, yes the postfix version is 2.6 :
                  >
                  > [root@posttestbox postfix]# postconf -d mail_version
                  > mail_version = 2.6.6
                  >
                  > Here is how I tried the suggestion in main.cf :
                  >
                  > smtpd_relay_restrictions = localonly
                  > localonly = check_recipient_access hash:/etc/postfix/localdomains, reject
                  > smtpd_sasl_auth_enable = yes
                  > smtpd_recipient_restrictions = check_sender_access
                  > hash:/etc/postfix/restricted_senders,permit_mynetworks,permit_sasl_authenticated,check_client_access
                  > mysql:/etc/postfix/mysql_popbsmtp_access_maps.cf,check_client_access
                  > hash:/etc/postfix/relay,reject_unauth_destination
                  > smtpd_sasl_path = private/auth
                  > smtpd_sasl_type = dovecot
                  >
                  >
                  > But user is still able to send mails outside domain, here is current log
                  > happening (from postfix restart):
                  >
                  > Oct 8 23:38:03 posttestbox postfix/postfix-script[32074]: starting the
                  > Postfix mail system
                  > Oct 8 23:38:03 posttestbox postfix/master[32075]: daemon started -- version
                  > 2.6.6, configuration /etc/postfix
                  > Oct 8 23:38:22 posttestbox postfix/pickup[32079]: 7C52E635C6: uid=48
                  > from=<suraj@...>


                  The postfix smtpd_*_restrictions only apply to mail submitted via
                  SMTP. This message was submitted via the local sendmail(1) command
                  by user 48.

                  If this is a webmail system, perhaps you can change it to submit
                  mail via SMTP.



                  -- Noel Jones


                  > Oct 8 23:38:22 posttestbox postfix/cleanup[32093]: 7C52E635C6:
                  > message-id=<8834f0da5847e89290d0bafe5c9d1668@...>
                  > Oct 8 23:38:22 posttestbox postfix/qmgr[32080]: 7C52E635C6:
                  > from=<suraj@...>, size=557, nrcpt=1 (queue active)
                  > Oct 8 23:38:25 posttestbox postfix/smtp[32102]: connect to
                  > gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a]:25: Network is
                  > unreachable
                  > Oct 8 23:38:27 posttestbox postfix/smtp[32102]: 7C52E635C6:
                  > to=<mygmailaccount@...>,
                  > relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=5.1,
                  > delays=0.15/0.01/3.5/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1381227533
                  > hb3si26717605pac.65 - gsmtp)
                  > Oct 8 23:38:27 posttestbox postfix/qmgr[32080]: 7C52E635C6: removed
                  >
                  > I am trying to use the suggestions in more possible ways but shared current
                  > status in case it helps.
                  >
                  > Thanks
                  >
                  >
                  >
                  > --
                  > View this message in context: http://postfix.1071664.n5.nabble.com/restricting-few-users-from-sending-mails-outside-domain-mymailsystem-com-tp61996p62002.html
                  > Sent from the Postfix Users mailing list archive at Nabble.com.
                  >
                • virtualpostfix
                  Ohh GREAT Noel! that sorted the issue out .. I was using roundcube to test this but once you specified that its using sendmail instead of smtp it clicked the
                  Message 8 of 13 , Oct 8, 2013
                  • 0 Attachment
                    Ohh GREAT Noel! that sorted the issue out ..

                    I was using roundcube to test this but once you specified that its using
                    sendmail instead of smtp it clicked the right button, roundcube by default
                    uses available mta and do not look for smtp auth. I have adjusted roundcube
                    to go for smtp and it worked like charm. For other users references, this is
                    the final conf which worked for me as expected :

                    main.cf :
                    smtpd_recipient_restrictions = check_sender_access
                    hash:/etc/postfix/restricted_senders,permit_mynetworks,permit_sasl_authenticated,check_client_access
                    mysql:/etc/postfix/mysql_popbsmtp_access_maps.cf,check_client_access
                    hash:/etc/postfix/relay,reject_unauth_destination
                    smtpd_restriction_classes = localonly
                    localonly = check_recipient_access hash:/etc/postfix/localdomains, reject
                    smtpd_sasl_path = private/auth
                    smtpd_sasl_type = dovecot

                    Roundcube main.inc.php :
                    $rcmail_config['smtp_server'] = 'tls://%h';
                    $rcmail_config['smtp_port'] = 25;
                    $rcmail_config['smtp_user'] = '%u';
                    $rcmail_config['smtp_pass'] = '%p';

                    Thanks guys! Now I just need to find the button for "marked as solved" :)



                    --
                    View this message in context: http://postfix.1071664.n5.nabble.com/restricting-few-users-from-sending-mails-outside-domain-mymailsystem-com-tp61996p62018.html
                    Sent from the Postfix Users mailing list archive at Nabble.com.
                  • Thomas Moretto
                    Can someone add some clarification to this setting: smtpd_client_message_rate_limitThe number of messages and advisor would be able to send in a 5 minute
                    Message 9 of 13 , Oct 8, 2013
                    • 0 Attachment

                      Can someone add some clarification to this setting:


                      smtpd_client_message_rate_limit

                      The number of messages and advisor would be able to send in a 5 minute period


                      Does the counter count each unique postfix id assigned to a message or does it count to each recipient?


                      For example, if I submit one message with the id of 09AE3ZBX addressed 100 different recipients does postfix count that as 1 message submitted or 100?



                    • Wietse Venema
                      ... As documented this counts the number of message delivery requests. One message delivery request, well, requests the delivery of one message. Wietse
                      Message 10 of 13 , Oct 8, 2013
                      • 0 Attachment
                        Thomas Moretto:
                        >Can someone add some clarification to this setting:
                        >
                        > smtpd_client_message_rate_limitThe number of
                        > messages and advisor would be able to send in a 5 minute period
                        > Does the counter count each unique postfix id assigned to a message
                        > or does it count to each recipient?

                        As documented this counts the number of message delivery requests.
                        One message delivery request, well, requests the delivery of one
                        message.

                        Wietse

                        > For example, if I submit one message with the id of 09AE3ZBX addressed 100 different recipients does postfix count that as 1 message submitted or 100?
                        >
                        >
                      • Dominik George
                        ... Hash: SHA512 ... I think that latter part was the real question. - -nik - -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
                        Message 11 of 13 , Oct 8, 2013
                        • 0 Attachment
                          -----BEGIN PGP SIGNED MESSAGE-----
                          Hash: SHA512



                          wietse@... schrieb:
                          >Thomas Moretto:
                          >>Can someone add some clarification to this setting:
                          >>
                          >> smtpd_client_message_rate_limitThe number of
                          >> messages and advisor would be able to send in a 5 minute period
                          >> Does the counter count each unique postfix id assigned to a message
                          >> or does it count to each recipient?
                          >
                          >As documented this counts the number of message delivery requests.
                          >One message delivery request, well, requests the delivery of one
                          >message.
                          >
                          > Wietse
                          >
                          >> For example, if I submit one message with the id of 09AE3ZBX
                          >addressed 100 different recipients does postfix count that as 1 message
                          >submitted or 100?
                          >>
                          >>
                          >
                          >

                          I think that latter part was the real question.

                          - -nik
                          - --
                          Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
                          -----BEGIN PGP SIGNATURE-----
                          Version: APG v1.0.8-fdroid

                          iQFNBAEBCgA3BQJSVDjtMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
                          a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJfFfCADBx+kYHKDUDZRojQWgvEsv
                          v6CGvRpXqvZzuTJWyxbeLFRV0J8G6kTBZpNYpsnuNups8YUq0m6dQNXDi9as96Sj
                          +i0/J7SR/EoE/WWgUYJIxZWPVFVfV2hPveU8rDEIJh2+wCJd6qKCMgWu2AA3E4jv
                          gV/z1KY4w5N71so8P9CDZrLPSfoVK5BKFxC8zQyOubd6sxY0Jr3cyEvYaXOLwish
                          vSw5r8DhW/mme5t/fz83jUGI0zO/87nV29YhVpfrPpEYmVA59XTi/heiYvpoDRrI
                          J0lPhUS+5B6o1Zj/31WAeE261J9cMQmdBy1UW0WO9uxy6mJQjGt/I9cUQH6naoE/
                          =8hUb
                          -----END PGP SIGNATURE-----
                        • Thomas Moretto
                          Correct, the last paragraph is the real question: For example, if I submit one message with the id of 09AE3ZBX addressed 100 different recipients does postfix
                          Message 12 of 13 , Oct 8, 2013
                          • 0 Attachment
                            Correct, the last paragraph is the real question:

                            "For example, if I submit one message with the id of 09AE3ZBX addressed 100 different recipients does postfix count that as 1 message submitted or 100?"

                            which I have interpreted from everything i have read and the response i got from the email is if i submit one email with the id of 09AE3ZBX, and address it to 100 different addresses, it is one message submitted for delivery, not 100.





                            > Subject: Re: Clarification on smtp_client config settings
                            > From: nik@...
                            > Date: Tue, 8 Oct 2013 18:55:09 +0200
                            > To: postfix-users@...; wietse@...
                            >
                            > -----BEGIN PGP SIGNED MESSAGE-----
                            > Hash: SHA512
                            >
                            >
                            >
                            > wietse@... schrieb:
                            > >Thomas Moretto:
                            > >>Can someone add some clarification to this setting:
                            > >>
                            > >> smtpd_client_message_rate_limitThe number of
                            > >> messages and advisor would be able to send in a 5 minute period
                            > >> Does the counter count each unique postfix id assigned to a message
                            > >> or does it count to each recipient?
                            > >
                            > >As documented this counts the number of message delivery requests.
                            > >One message delivery request, well, requests the delivery of one
                            > >message.
                            > >
                            > > Wietse
                            > >

                            > >>
                            > >>
                            > >
                            > >
                            >
                            > I think that latter part was the real question.
                            >
                            > - -nik
                            > - --
                            > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
                            > -----BEGIN PGP SIGNATURE-----
                            > Version: APG v1.0.8-fdroid
                            >
                            > iQFNBAEBCgA3BQJSVDjtMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
                            > a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJfFfCADBx+kYHKDUDZRojQWgvEsv
                            > v6CGvRpXqvZzuTJWyxbeLFRV0J8G6kTBZpNYpsnuNups8YUq0m6dQNXDi9as96Sj
                            > +i0/J7SR/EoE/WWgUYJIxZWPVFVfV2hPveU8rDEIJh2+wCJd6qKCMgWu2AA3E4jv
                            > gV/z1KY4w5N71so8P9CDZrLPSfoVK5BKFxC8zQyOubd6sxY0Jr3cyEvYaXOLwish
                            > vSw5r8DhW/mme5t/fz83jUGI0zO/87nV29YhVpfrPpEYmVA59XTi/heiYvpoDRrI
                            > J0lPhUS+5B6o1Zj/31WAeE261J9cMQmdBy1UW0WO9uxy6mJQjGt/I9cUQH6naoE/
                            > =8hUb
                            > -----END PGP SIGNATURE-----
                            >
                          • Dominik George
                            ... Hash: SHA512 On a side note: Stop the threadjacking. Thanks! ... Version: APG v1.0.8-fdroid
                            Message 13 of 13 , Oct 8, 2013
                            • 0 Attachment
                              -----BEGIN PGP SIGNED MESSAGE-----
                              Hash: SHA512

                              On a side note: Stop the threadjacking.

                              Thanks!
                              -----BEGIN PGP SIGNATURE-----
                              Version: APG v1.0.8-fdroid

                              iQFNBAEBCgA3BQJSVFIPMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
                              a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJaolB/9PgX5yhulip3+5JQFBqAHP
                              GSoZGll0bVjdzBGSMBBZXG1M4jKl3SCQgH0hq7bnt/UyWUcgchCpEKNqibXL58d3
                              WX8VYh+qrIlTaTVu/kivoXAir3L0U92lvxjxX3bfKdq7q1KtGUaBG/5FCwjZOFBZ
                              OWsjE3EEw283UzssQTxz5oVsfMOePy3C1ju+6UtIRombpAfXm/as54brRwnxQm/1
                              u2IFNqwnXSFZflhcNdphA78g2/wOmlPpQvr30aVGc3dfqmdzi1Xm31VHfe5RGh31
                              wnS92BxoCM69Y/Q09pmEm1fYM7YTPErM2Uzc7/ZHR9Ji7QHCjirIai7mBQzi4yBg
                              =WjeQ
                              -----END PGP SIGNATURE-----
                            Your message has been successfully submitted and would be delivered to recipients shortly.