From: Jarrod Neven on
I am trying to setup restriction to prevent selected users from sending
email externally. I have followed the "Restricting what users can send mail
to off-site destinations" guide at
http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not having
any effect.

It appears that no matter what I do smtpd_recipient_restrictions has no
effect. Have set the hash file to an invalid file and created syntax errors
and there are no error messages in the log, even set
smtpd_recipient_restrictions = reject and it did nothing.

In maser.cf I have added -v -v to the smtpd process and it shows no mention
of the value smtpd_recipient_restrictions, looks like it is ignored
completely.

Is anything that can prevent smtpd_recipient_restrictions from working?
Maybe a compiled option missing?

I have postfix 2.5.1 on centos 64bit

#postconf -n
config_directory = /etc/postfix
mail_owner = postfix
setgid_group = postdrop
smtpd_client_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
smtpd_delay_reject = no
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = local_only
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
<http://mysql_virtual_alias_maps.cf>
virtual_gid_maps = static:12
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
mysql:$config_directory/mysql_virtual_mailbox_domains.cf
<http://mysql_virtual_mailbox_domains.cf>
virtual_mailbox_limit_maps =
mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
<http://mysql_virtual_mailbox_limit_maps.cf>
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
<http://mysql_virtual_mailbox_maps.cf>
virtual_minimum_uid = 101
virtual_transport = dovecot
virtual_uid_maps = static:101


From: Jeroen Geilman on
On 05/30/2010 01:29 PM, Jarrod Neven wrote:
> I am trying to setup restriction to prevent selected users from
> sending email externally. I have followed the "Restricting what users
> can send mail to off-site destinations" guide at
> http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
> having any effect.

Then you have not put the restrictions in the correct order, or you are
lacking restrictions that are required to make it work.
>
> It appears that no matter what I do smtpd_recipient_restrictions has
> no effect. Have set the hash file to an invalid file and created
> syntax errors and there are no error messages in the log, even set
> smtpd_recipient_restrictions = reject and it did nothing.

smtpd_recipient_restrictions is the LAST restriction class to be
applied. if mail was accepted before then, REJECTing it here does nothing.
>
> In maser.cf I have added -v -v to the smtpd process and it shows no
> mention of the value smtpd_recipient_restrictions, looks like it is
> ignored completely.
>
> Is anything that can prevent smtpd_recipient_restrictions from
> working? Maybe a compiled option missing?
>
> I have postfix 2.5.1 on centos 64bit
>
> #postconf -n
> config_directory = /etc/postfix
> mail_owner = postfix
> setgid_group = postdrop
> smtpd_client_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders
check_sender_access does not work here; remove it.
> smtpd_delay_reject = no
You NEED this to be "yes".
> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders
That is not sufficient by a long shot.
Take a look at the UCE cheat sheet (google for it!)

> smtpd_restriction_classes = local_only
I don't know who told you to set this, but - don't. leave options you
don't understand well enough alone.

> smtpd_sender_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders

This is the first instance where sender checks can be applied.

J.

From: Michael Tokarev on
30.05.2010 15:58, Jeroen Geilman wrote:
> On 05/30/2010 01:29 PM, Jarrod Neven wrote:
[]
>> #postconf -n
>> config_directory = /etc/postfix
>> mail_owner = postfix
>> setgid_group = postdrop
>> smtpd_client_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
> check_sender_access does not work here; remove it.

It does, with smtpd_delay_reject = yes

>> smtpd_delay_reject = no
> You NEED this to be "yes".

If you NEED this to be "yes" it does not mean everyone
else needs the same. I set it to no in 1998.

>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
> That is not sufficient by a long shot.
> Take a look at the UCE cheat sheet (google for it!)

The term "sufficient" may mean different things depending
on the goals. Depending on the contents of restricted_senders
table it may be pretty well actually, provided that table
has a reasonable default entry.

>> smtpd_restriction_classes = local_only
> I don't know who told you to set this, but - don't. leave options you
> don't understand well enough alone.

He said right at the beginning that he's implementing restriction
classes according to RESTRICTION_CLASS_README, and asked for help
with that.

>> smtpd_sender_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
>
> This is the first instance where sender checks can be applied.

Only with smtpd_delay_reject=yes. But indeed, with smtpd_delay_reject=no
(his setting) it makes little sense.

But continuing your own way, I'd say don't recommend
people anything if you don't understand it... ;)

As of the original question, using "static:reject" for
smtpd_recipient_restrictions will make postfix reject just
everything. If it does not work, well, smtpd uses different
config file, that's the only reasonable explanation which I
can think of. Try running it with -v flag in master.cf.

/mjt

From: Michael Tokarev on
30.05.2010 21:37, Michael Tokarev wrote:
> 30.05.2010 15:58, Jeroen Geilman wrote:
[]
>>> smtpd_client_restrictions = check_sender_access
>>> hash:/etc/postfix/restricted_senders
>> check_sender_access does not work here; remove it.
>
> It does, with smtpd_delay_reject = yes

Typo: it does, with smtpd_delay_reject=NO ofcourse.

/mjt

From: Noel Jones on
On 5/30/2010 6:58 AM, Jeroen Geilman wrote:
> On 05/30/2010 01:29 PM, Jarrod Neven wrote:
>> I am trying to setup restriction to prevent selected users from
>> sending email externally. I have followed the "Restricting what users
>> can send mail to off-site destinations" guide at
>> http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
>> having any effect.
>
> Then you have not put the restrictions in the correct order, or you are
> lacking restrictions that are required to make it work.
>>
>> It appears that no matter what I do smtpd_recipient_restrictions has
>> no effect. Have set the hash file to an invalid file and created
>> syntax errors and there are no error messages in the log, even set
>> smtpd_recipient_restrictions = reject and it did nothing.
>
> smtpd_recipient_restrictions is the LAST restriction class to be
> applied. if mail was accepted before then, REJECTing it here does nothing.

Incorrect. *Each* smtpd_*_restrictions section must evaluate
to OK or permit. Just because you OK a client in
smtpd_client_restrictions doesn't give them a free ride in
smtpd_recipient_restrictions.

So if you're going to speculate, pick something better.

For a better guess, we need to see log entries of the transaction.

>>
>> In maser.cf I have added -v -v to the smtpd process and it shows no
>> mention of the value smtpd_recipient_restrictions, looks like it is
>> ignored completely.
>>
>> Is anything that can prevent smtpd_recipient_restrictions from
>> working? Maybe a compiled option missing?

There are no compile options that will affect this. Show
non-verbose postfix logging of a transaction you feel is
handled incorrectly.


>>
>> I have postfix 2.5.1 on centos 64bit
>>
>> #postconf -n
>> config_directory = /etc/postfix
>> mail_owner = postfix
>> setgid_group = postdrop
>> smtpd_client_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
> check_sender_access does not work here; remove it.

It does work here, with the default smtpd_delay_reject = yes.
But the reason to remove it is because you've duplicated the
same check in several places; no need to perform a single
check more than once.

>> smtpd_delay_reject = no
> You NEED this to be "yes".

The default and recommended value is yes. Postfix
restrictions behave differently if you set this to "no"; don't
change it unless you understand the differences and why you
might not want to change it.

This may be the OPs problem. Or maybe the OP is submitting
mail via sendmail(1) rather than via SMTP. Logs will show.


>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders

This restriction is incomplete.

> That is not sufficient by a long shot.
> Take a look at the UCE cheat sheet (google for it!)

This critique is also incomplete. Show or quote postfix docs
supporting your assertions, such as:
smtpd_recipient_restrictions must default to reject or defer
so you're not an open relay, please see
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions


>
>> smtpd_restriction_classes = local_only

Looks OK.

> I don't know who told you to set this, but - don't. leave options you
> don't understand well enough alone.

I expect the OP is following the RESTRICTION_CLASS_README
examples, as he stated.

>
>> smtpd_sender_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
>
> This is the first instance where sender checks can be applied.

.... unless you use the default/recommended smtpd_delay_reject=yes.



-- Noel Jones