Loading ...
Sorry, an error occurred while loading the content.

Controlling who can use my server as relayhost

Expand Messages
  • Nicolás
    Hi, After maintaining an old version of Postfix for some longer time, I finally decided to jump to version 2.11 and currently I m tuning it up. I m having an
    Message 1 of 5 , Jul 21, 2014
    • 0 Attachment
      Hi,

      After maintaining an old version of Postfix for some longer time, I
      finally decided to jump to version 2.11 and currently I'm tuning it up.
      I'm having an issue with smtpd_relay_restrictions. At this time, the
      configuration is the default one:

      smtpd_relay_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      defer_unauth_destination

      Having this configuration, anyone using my mail server as the relayhost
      is able to send mails to the domains that I handle (not outside), even
      without SASL. I guess that behavior is determined by
      'defer_unauth_destination', however, my aim is to specifically allow
      certain IPs to use my mail server as relayhost, otherwise reject the
      requests.

      I tried putting a 'reject' line after 'defer_unauth_destination' and
      although it seemed to achieve the desired effect, this would block any
      incoming e-mails from any sender, logically.

      So, here goes the question: Is there a way to only whitelist certain IPs
      to use this server as the relayhost and reject anyone else but without
      affecting incoming e-mails?

      Thanks!
    • Alex
      ... [ snipped ] ... [ snipped ] ... On: http://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks Permit the request when the client IP
      Message 2 of 5 , Jul 22, 2014
      • 0 Attachment
        On 2014-07-22 08:17, Nicolás wrote:

        > After maintaining an old version of Postfix for some longer time, I
        > finally decided to jump to version 2.11 and currently I'm tuning it
        > up. I'm having an issue with smtpd_relay_restrictions. At this time,
        > the configuration is the default one:
        >
        > smtpd_relay_restrictions =
        > permit_mynetworks
        > permit_sasl_authenticated
        > defer_unauth_destination
        >
        [ snipped ]

        > my aim is to specifically allow
        > certain IPs to use my mail server as relayhost, otherwise reject the
        > requests.

        [ snipped ]

        > So, here goes the question: Is there a way to only whitelist certain
        > IPs to use this server as the relayhost and reject anyone else but
        > without affecting incoming e-mails?

        On: http://www.postfix.org/postconf.5.html#permit_mynetworks

        permit_mynetworks
        Permit the request when the client IP address matches any network or
        network address listed in $mynetworks.

        I think the answer you seek can be found at:
        http://www.postfix.org/postconf.5.html#mynetworks

        Alex
      • Jonas Wielicki
        ... Sorry, I’m failing to understand what you want exactly. When you say “allow certain IPs to use my mail server as relayhost, otherwise reject the
        Message 3 of 5 , Jul 22, 2014
        • 0 Attachment
          On 22.07.2014 08:17, Nicolás wrote:
          > Having this configuration, anyone using my mail server as the relayhost
          > is able to send mails to the domains that I handle (not outside), even
          > without SASL. I guess that behavior is determined by
          > 'defer_unauth_destination', however, my aim is to specifically allow
          > certain IPs to use my mail server as relayhost, otherwise reject the
          > requests.
          >
          > I tried putting a 'reject' line after 'defer_unauth_destination' and
          > although it seemed to achieve the desired effect, this would block any
          > incoming e-mails from any sender, logically.
          >
          > So, here goes the question: Is there a way to only whitelist certain IPs
          > to use this server as the relayhost and reject anyone else but without
          > affecting incoming e-mails?

          Sorry, I’m failing to understand what you want exactly.

          When you say “allow certain IPs to use my mail server as relayhost,
          otherwise reject the request”, does that include rejecting to relay to
          your *own* domains?

          If so, what do you mean by “incoming e-mails”?

          If not, permit_mynetworks might indeed be what you’re looking for.

          regards,
          jwi
        • Nicolás
          ... The final goal is to handle who can send e-mails through my server as relayhost. At this moment, anyone configuring their Postfix with my mail server as
          Message 4 of 5 , Jul 22, 2014
          • 0 Attachment
            El 22/07/2014 8:58, Jonas Wielicki escribió:
            > On 22.07.2014 08:17, Nicolás wrote:
            >> Having this configuration, anyone using my mail server as the relayhost
            >> is able to send mails to the domains that I handle (not outside), even
            >> without SASL. I guess that behavior is determined by
            >> 'defer_unauth_destination', however, my aim is to specifically allow
            >> certain IPs to use my mail server as relayhost, otherwise reject the
            >> requests.
            >>
            >> I tried putting a 'reject' line after 'defer_unauth_destination' and
            >> although it seemed to achieve the desired effect, this would block any
            >> incoming e-mails from any sender, logically.
            >>
            >> So, here goes the question: Is there a way to only whitelist certain IPs
            >> to use this server as the relayhost and reject anyone else but without
            >> affecting incoming e-mails?
            > Sorry, I’m failing to understand what you want exactly.
            >
            > When you say “allow certain IPs to use my mail server as relayhost,
            > otherwise reject the request”, does that include rejecting to relay to
            > your *own* domains?
            >
            > If so, what do you mean by “incoming e-mails”?
            >
            > If not, permit_mynetworks might indeed be what you’re looking for.
            >
            > regards,
            > jwi

            The final goal is to handle who can send e-mails through my server as
            relayhost. At this moment, anyone configuring their Postfix with my mail
            server as the relayhost could send e-mails to any address that I handle
            (i.e., my domains). By "incoming e-mails" I mean that if I end the
            smtpd_relay_restrictions with "reject", *any* incoming e-mail from
            *anywhere* to any address that I handle is rejected with "access denied".

            The mynetworks solution would work for static IPs, but I realized I have
            clients with dynamic IPs. Would it be possible to allow *only* sending
            mails through my host as relayhost for the SASL authenticated users, but
            without rejecting the above mentioned incoming messages?

            Thanks.
          • lists@rhsoft.net
            ... addresses which you handle have *ntohing* to do with relay relay by definition is send mails to foreign domains don#t mix that two completly different
            Message 5 of 5 , Jul 22, 2014
            • 0 Attachment
              Am 22.07.2014 11:32, schrieb Nicolás:
              > The final goal is to handle who can send e-mails through my server as
              > relayhost. At this moment, anyone configuring their Postfix with my
              > mail server as the relayhost could send e-mails to any address that
              > I handle

              addresses which you handle have *ntohing* to do with relay
              relay by definition is send mails to foreign domains

              don#t mix that two completly different worlds

              if your server is a MX you *can't* restrict who can
              send to addresses you handle because you no longer
              receive mail
            Your message has been successfully submitted and would be delivered to recipients shortly.