whitelisting incoming /outgoing mail
in [Postfix]
|
Prev: forward problem: mail delivered twice
Next: quick query re forwarding local mail to another server
From: Wietse Venema on 5 Jan 2010 10:13 Eric Williams: > > On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote: > > > Eric Williams: > >> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner <stan(a)hardwarefreak.com>wrote: > >> > >>> Eric Williams put forth on 1/5/2010 8:02 AM: > >>> > >>>> I would like to apply the same access list so that users sending mail > >>> through this server can only reach those same domains. > >>>> > >>>> I've tried lots of recipient checking configs but nothing works so far. > >>> I'd rather not do this with the firewall, keeping the whitelist monitored by > >>> postfix only. > >>> > >>> So you want a dedicated smtp relay server that will only transfer mail > >>> between a > >>> handful of domains? > > > > You could use a tool such as Fail2Ban to watch the maillog file > > and update a Postfix access table. > > > > The steps would be > > > > 1) See if the domain is already in the Postfix access table. > > 2) Add the domain. > > 3) Rebuild the table. > > > > Example add-domain script: > > > > #!/bin/sh > > > > # usage: add-domain name > > > > case $# in > > 1) postmap -q "$1" the-postfix-access-table >/dev/null || { > > echo "$1" OK >>the-postfix-access-table > > postmap the-postfix-access-table > > };; > > *) echo Usage: $0 domainame 1>&2; exit 1;; > > esac > > > > If you handle lots of mail you will want to read and update the > > database files without running postmap commands for each email > > logfile record. > > > > Wietse > > > > This is great info. I'll look into applying that is some form. > > I think what I'm still missing is the proper restriction in the smptd_recipient_restrictions section to restrict the outgoing mail. > > check_sender_access hash:/etc/postfix/access > > works for incoming blocking. I haven't found the right config for the blocking. > > It if is implied in your response I apologize for my in-experience with this. smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/sender_access reject Wietse
From: Eric Williams on 5 Jan 2010 10:46 On Jan 5, 2010, at 10:13 AM, Wietse Venema wrote: > Eric Williams: >> >> On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote: >> >>> Eric Williams: >>>> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner <stan(a)hardwarefreak.com>wrote: >>>> >>>>> Eric Williams put forth on 1/5/2010 8:02 AM: >>>>> >>>>>> I would like to apply the same access list so that users sending mail >>>>> through this server can only reach those same domains. >>>>>> >>>>>> I've tried lots of recipient checking configs but nothing works so far. >>>>> I'd rather not do this with the firewall, keeping the whitelist monitored by >>>>> postfix only. >>>>> >>>>> So you want a dedicated smtp relay server that will only transfer mail >>>>> between a >>>>> handful of domains? >>> >>> You could use a tool such as Fail2Ban to watch the maillog file >>> and update a Postfix access table. >>> >>> The steps would be >>> >>> 1) See if the domain is already in the Postfix access table. >>> 2) Add the domain. >>> 3) Rebuild the table. >>> >>> Example add-domain script: >>> >>> #!/bin/sh >>> >>> # usage: add-domain name >>> >>> case $# in >>> 1) postmap -q "$1" the-postfix-access-table >/dev/null || { >>> echo "$1" OK >>the-postfix-access-table >>> postmap the-postfix-access-table >>> };; >>> *) echo Usage: $0 domainame 1>&2; exit 1;; >>> esac >>> >>> If you handle lots of mail you will want to read and update the >>> database files without running postmap commands for each email >>> logfile record. >>> >>> Wietse >> >> >> >> This is great info. I'll look into applying that is some form. >> >> I think what I'm still missing is the proper restriction in the smptd_recipient_restrictions section to restrict the outgoing mail. >> >> check_sender_access hash:/etc/postfix/access >> >> works for incoming blocking. I haven't found the right config for the blocking. >> >> It if is implied in your response I apologize for my in-experience with this. > > smtpd_sender_restrictions = > permit_mynetworks > permit_sasl_authenticated > check_sender_access hash:/etc/postfix/sender_access > reject > > Wietse Thanks for the pointer. It still doesn't seem to be working to restrict outgoing email to a list of domains. I'll keep digging in and testing but if I'm missing something very obvious please be as blunt as you like. This is my first attempt at these type of mods. Thanks. EW
From: Noel Jones on 5 Jan 2010 10:56 On 1/5/2010 8:02 AM, Eric Williams wrote: > I've modified smtpd_recipient_restrictions to block incoming email with a whitelist (/etc/postfix/access) as follows: > > smtpd_recipient_restrictions = > permit_sasl_authenticated > permit_mynetworks > reject_unauth_destination > check_sender_access hash:/etc/postfix/access > reject > > This works great so that entries in /etc/postfix/access like: > > gmail.com OK > harvard.edu OK > > allow incoming email from those domains, all others are rejected. > > I would like to apply the same access list so that users sending mail through this server can only reach those same domains. > > I've tried lots of recipient checking configs but nothing works so far. I'd rather not do this with the firewall, keeping the whitelist monitored by postfix only. > > Any suggestions? Thanks. add to main.cf: smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/access permit_auth_destination reject Leave your smtpd_recipient_restrictions as they are shown above. This assumes the same domains are allowed for both incoming and outgoing, and also allows local users to send local mail. If you need to block local<->local, it gets trickier. -- Noel Jones
From: Eric Williams on 5 Jan 2010 11:03 On Jan 5, 2010, at 10:56 AM, Noel Jones wrote: > On 1/5/2010 8:02 AM, Eric Williams wrote: >> I've modified smtpd_recipient_restrictions to block incoming email with a whitelist (/etc/postfix/access) as follows: >> >> smtpd_recipient_restrictions = >> permit_sasl_authenticated >> permit_mynetworks >> reject_unauth_destination >> check_sender_access hash:/etc/postfix/access >> reject >> >> This works great so that entries in /etc/postfix/access like: >> >> gmail.com OK >> harvard.edu OK >> >> allow incoming email from those domains, all others are rejected. >> >> I would like to apply the same access list so that users sending mail through this server can only reach those same domains. >> >> I've tried lots of recipient checking configs but nothing works so far. I'd rather not do this with the firewall, keeping the whitelist monitored by postfix only. >> >> Any suggestions? Thanks. > > add to main.cf: > smtpd_sender_restrictions = > check_recipient_access hash:/etc/postfix/access > permit_auth_destination > reject > > Leave your smtpd_recipient_restrictions as they are shown above. This assumes the same domains are allowed for both incoming and outgoing, and also allows local users to send local mail. If you need to block local<->local, it gets trickier. > > -- Noel Jones That did the trick! Thanks to all! EW
First
|
Prev
|
Pages: 1 2 Prev: forward problem: mail delivered twice Next: quick query re forwarding local mail to another server |