smtpd_recipient_restrictions has no effect
in [Postfix]
|
From: Jarrod Neven on 30 May 2010 07:29 I am trying to setup restriction to prevent selected users from sending email externally. I have followed the "Restricting what users can send mail to off-site destinations" guide at http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not having any effect. It appears that no matter what I do smtpd_recipient_restrictions has no effect. Have set the hash file to an invalid file and created syntax errors and there are no error messages in the log, even set smtpd_recipient_restrictions = reject and it did nothing. In maser.cf I have added -v -v to the smtpd process and it shows no mention of the value smtpd_recipient_restrictions, looks like it is ignored completely. Is anything that can prevent smtpd_recipient_restrictions from working? Maybe a compiled option missing? I have postfix 2.5.1 on centos 64bit #postconf -n config_directory = /etc/postfix mail_owner = postfix setgid_group = postdrop smtpd_client_restrictions = check_sender_access hash:/etc/postfix/restricted_senders smtpd_delay_reject = no smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders smtpd_restriction_classes = local_only smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/restricted_senders virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf <http://mysql_virtual_alias_maps.cf> virtual_gid_maps = static:12 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_mailbox_domains.cf <http://mysql_virtual_mailbox_domains.cf> virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf <http://mysql_virtual_mailbox_limit_maps.cf> virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf <http://mysql_virtual_mailbox_maps.cf> virtual_minimum_uid = 101 virtual_transport = dovecot virtual_uid_maps = static:101
From: Jeroen Geilman on 30 May 2010 07:58 On 05/30/2010 01:29 PM, Jarrod Neven wrote: > I am trying to setup restriction to prevent selected users from > sending email externally. I have followed the "Restricting what users > can send mail to off-site destinations" guide at > http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not > having any effect. Then you have not put the restrictions in the correct order, or you are lacking restrictions that are required to make it work. > > It appears that no matter what I do smtpd_recipient_restrictions has > no effect. Have set the hash file to an invalid file and created > syntax errors and there are no error messages in the log, even set > smtpd_recipient_restrictions = reject and it did nothing. smtpd_recipient_restrictions is the LAST restriction class to be applied. if mail was accepted before then, REJECTing it here does nothing. > > In maser.cf I have added -v -v to the smtpd process and it shows no > mention of the value smtpd_recipient_restrictions, looks like it is > ignored completely. > > Is anything that can prevent smtpd_recipient_restrictions from > working? Maybe a compiled option missing? > > I have postfix 2.5.1 on centos 64bit > > #postconf -n > config_directory = /etc/postfix > mail_owner = postfix > setgid_group = postdrop > smtpd_client_restrictions = check_sender_access > hash:/etc/postfix/restricted_senders check_sender_access does not work here; remove it. > smtpd_delay_reject = no You NEED this to be "yes". > smtpd_recipient_restrictions = check_sender_access > hash:/etc/postfix/restricted_senders That is not sufficient by a long shot. Take a look at the UCE cheat sheet (google for it!) > smtpd_restriction_classes = local_only I don't know who told you to set this, but - don't. leave options you don't understand well enough alone. > smtpd_sender_restrictions = check_sender_access > hash:/etc/postfix/restricted_senders This is the first instance where sender checks can be applied. J.
From: Michael Tokarev on 30 May 2010 13:37 30.05.2010 15:58, Jeroen Geilman wrote: > On 05/30/2010 01:29 PM, Jarrod Neven wrote: [] >> #postconf -n >> config_directory = /etc/postfix >> mail_owner = postfix >> setgid_group = postdrop >> smtpd_client_restrictions = check_sender_access >> hash:/etc/postfix/restricted_senders > check_sender_access does not work here; remove it. It does, with smtpd_delay_reject = yes >> smtpd_delay_reject = no > You NEED this to be "yes". If you NEED this to be "yes" it does not mean everyone else needs the same. I set it to no in 1998. >> smtpd_recipient_restrictions = check_sender_access >> hash:/etc/postfix/restricted_senders > That is not sufficient by a long shot. > Take a look at the UCE cheat sheet (google for it!) The term "sufficient" may mean different things depending on the goals. Depending on the contents of restricted_senders table it may be pretty well actually, provided that table has a reasonable default entry. >> smtpd_restriction_classes = local_only > I don't know who told you to set this, but - don't. leave options you > don't understand well enough alone. He said right at the beginning that he's implementing restriction classes according to RESTRICTION_CLASS_README, and asked for help with that. >> smtpd_sender_restrictions = check_sender_access >> hash:/etc/postfix/restricted_senders > > This is the first instance where sender checks can be applied. Only with smtpd_delay_reject=yes. But indeed, with smtpd_delay_reject=no (his setting) it makes little sense. But continuing your own way, I'd say don't recommend people anything if you don't understand it... ;) As of the original question, using "static:reject" for smtpd_recipient_restrictions will make postfix reject just everything. If it does not work, well, smtpd uses different config file, that's the only reasonable explanation which I can think of. Try running it with -v flag in master.cf. /mjt
From: Michael Tokarev on 30 May 2010 13:38 30.05.2010 21:37, Michael Tokarev wrote: > 30.05.2010 15:58, Jeroen Geilman wrote: [] >>> smtpd_client_restrictions = check_sender_access >>> hash:/etc/postfix/restricted_senders >> check_sender_access does not work here; remove it. > > It does, with smtpd_delay_reject = yes Typo: it does, with smtpd_delay_reject=NO ofcourse. /mjt
From: Noel Jones on 30 May 2010 15:29 On 5/30/2010 6:58 AM, Jeroen Geilman wrote: > On 05/30/2010 01:29 PM, Jarrod Neven wrote: >> I am trying to setup restriction to prevent selected users from >> sending email externally. I have followed the "Restricting what users >> can send mail to off-site destinations" guide at >> http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not >> having any effect. > > Then you have not put the restrictions in the correct order, or you are > lacking restrictions that are required to make it work. >> >> It appears that no matter what I do smtpd_recipient_restrictions has >> no effect. Have set the hash file to an invalid file and created >> syntax errors and there are no error messages in the log, even set >> smtpd_recipient_restrictions = reject and it did nothing. > > smtpd_recipient_restrictions is the LAST restriction class to be > applied. if mail was accepted before then, REJECTing it here does nothing. Incorrect. *Each* smtpd_*_restrictions section must evaluate to OK or permit. Just because you OK a client in smtpd_client_restrictions doesn't give them a free ride in smtpd_recipient_restrictions. So if you're going to speculate, pick something better. For a better guess, we need to see log entries of the transaction. >> >> In maser.cf I have added -v -v to the smtpd process and it shows no >> mention of the value smtpd_recipient_restrictions, looks like it is >> ignored completely. >> >> Is anything that can prevent smtpd_recipient_restrictions from >> working? Maybe a compiled option missing? There are no compile options that will affect this. Show non-verbose postfix logging of a transaction you feel is handled incorrectly. >> >> I have postfix 2.5.1 on centos 64bit >> >> #postconf -n >> config_directory = /etc/postfix >> mail_owner = postfix >> setgid_group = postdrop >> smtpd_client_restrictions = check_sender_access >> hash:/etc/postfix/restricted_senders > check_sender_access does not work here; remove it. It does work here, with the default smtpd_delay_reject = yes. But the reason to remove it is because you've duplicated the same check in several places; no need to perform a single check more than once. >> smtpd_delay_reject = no > You NEED this to be "yes". The default and recommended value is yes. Postfix restrictions behave differently if you set this to "no"; don't change it unless you understand the differences and why you might not want to change it. This may be the OPs problem. Or maybe the OP is submitting mail via sendmail(1) rather than via SMTP. Logs will show. >> smtpd_recipient_restrictions = check_sender_access >> hash:/etc/postfix/restricted_senders This restriction is incomplete. > That is not sufficient by a long shot. > Take a look at the UCE cheat sheet (google for it!) This critique is also incomplete. Show or quote postfix docs supporting your assertions, such as: smtpd_recipient_restrictions must default to reject or defer so you're not an open relay, please see http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions > >> smtpd_restriction_classes = local_only Looks OK. > I don't know who told you to set this, but - don't. leave options you > don't understand well enough alone. I expect the OP is following the RESTRICTION_CLASS_README examples, as he stated. > >> smtpd_sender_restrictions = check_sender_access >> hash:/etc/postfix/restricted_senders > > This is the first instance where sender checks can be applied. .... unless you use the default/recommended smtpd_delay_reject=yes. -- Noel Jones
|
Next
|
Last
Pages: 1 2 Prev: SMTP sender-dependent authentication per host? Next: quota and postfix virtual users |