Prev: forward problem: mail delivered twice
Next: quick query re forwarding local mail to another server
From: Eric Williams on 5 Jan 2010 09:02
I've modified smtpd_recipient_restrictions to block incoming email with a whitelist (/etc/postfix/access) as follows:

smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_sender_access hash:/etc/postfix/access
reject

This works great so that entries in /etc/postfix/access like:

gmail.com OK
harvard.edu OK

allow incoming email from those domains, all others are rejected.

I would like to apply the same access list so that users sending mail through this server can only reach those same domains.

I've tried lots of recipient checking configs but nothing works so far. I'd rather not do this with the firewall, keeping the whitelist monitored by postfix only.

Any suggestions? Thanks.

----
Eric Williams
AIM & Email: wilersh(a)gmail.com
Skype: wilersh

From: Stan Hoeppner on 5 Jan 2010 09:12
Eric Williams put forth on 1/5/2010 8:02 AM:

> I would like to apply the same access list so that users sending mail through this server can only reach those same domains.
>
> I've tried lots of recipient checking configs but nothing works so far. I'd rather not do this with the firewall, keeping the whitelist monitored by postfix only.

So you want a dedicated smtp relay server that will only transfer mail between a
handful of domains?

--
Stan

From: Eric Williams on 5 Jan 2010 09:15
On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner <stan(a)hardwarefreak.com>wrote:

> Eric Williams put forth on 1/5/2010 8:02 AM:
>
> > I would like to apply the same access list so that users sending mail
> through this server can only reach those same domains.
> >
> > I've tried lots of recipient checking configs but nothing works so far.
> I'd rather not do this with the firewall, keeping the whitelist monitored by
> postfix only.
>
> So you want a dedicated smtp relay server that will only transfer mail
> between a
> handful of domains?
>
> --
> Stan
>

That sounds like the correct description.

EW
From: Wietse Venema on 5 Jan 2010 09:57
Eric Williams:
> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner <stan(a)hardwarefreak.com>wrote:
>
> > Eric Williams put forth on 1/5/2010 8:02 AM:
> >
> > > I would like to apply the same access list so that users sending mail
> > through this server can only reach those same domains.
> > >
> > > I've tried lots of recipient checking configs but nothing works so far.
> > I'd rather not do this with the firewall, keeping the whitelist monitored by
> > postfix only.
> >
> > So you want a dedicated smtp relay server that will only transfer mail
> > between a
> > handful of domains?

You could use a tool such as Fail2Ban to watch the maillog file
and update a Postfix access table.

The steps would be

1) See if the domain is already in the Postfix access table.
2) Add the domain.
3) Rebuild the table.

Example add-domain script:

#!/bin/sh

# usage: add-domain name

case $# in
1) postmap -q "$1" the-postfix-access-table >/dev/null || {
echo "$1" OK >>the-postfix-access-table
postmap the-postfix-access-table
};;
*) echo Usage: $0 domainame 1>&2; exit 1;;
esac

If you handle lots of mail you will want to read and update the
database files without running postmap commands for each email
logfile record.

Wietse

From: Eric Williams on 5 Jan 2010 10:06

On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote:

> Eric Williams:
>> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner <stan(a)hardwarefreak.com>wrote:
>>
>>> Eric Williams put forth on 1/5/2010 8:02 AM:
>>>
>>>> I would like to apply the same access list so that users sending mail
>>> through this server can only reach those same domains.
>>>>
>>>> I've tried lots of recipient checking configs but nothing works so far.
>>> I'd rather not do this with the firewall, keeping the whitelist monitored by
>>> postfix only.
>>>
>>> So you want a dedicated smtp relay server that will only transfer mail
>>> between a
>>> handful of domains?
>
> You could use a tool such as Fail2Ban to watch the maillog file
> and update a Postfix access table.
>
> The steps would be
>
> 1) See if the domain is already in the Postfix access table.
> 2) Add the domain.
> 3) Rebuild the table.
>
> Example add-domain script:
>
> #!/bin/sh
>
> # usage: add-domain name
>
> case $# in
> 1) postmap -q "$1" the-postfix-access-table >/dev/null || {
> echo "$1" OK >>the-postfix-access-table
> postmap the-postfix-access-table
> };;
> *) echo Usage: $0 domainame 1>&2; exit 1;;
> esac
>
> If you handle lots of mail you will want to read and update the
> database files without running postmap commands for each email
> logfile record.
>
> Wietse



This is great info. I'll look into applying that is some form.

I think what I'm still missing is the proper restriction in the smptd_recipient_restrictions section to restrict the outgoing mail.

check_sender_access hash:/etc/postfix/access

works for incoming blocking. I haven't found the right config for the blocking.

It if is implied in your response I apologize for my in-experience with this.

Thanks.

EW

 |  Next  |  Last
Pages: 1 2
Prev: forward problem: mail delivered twice
Next: quick query re forwarding local mail to another server