Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

access limit

1 view
Skip to first unread message

Pavel Urban

unread,
Jul 9, 2003, 7:01:18 AM7/9/03
to
Hello,

we already have this access restrictions in place:

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

,but we have decided to further restrict the access to our server by
allowing only people from our IP pool to authenticate and then send
mail. But I cannot see an easy way to accomplish this. Can anybody help
me, please?

We are using postfix-2.0.9 on Linux servers.

--
***********************************************************************
Pavel Urban (pavel...@hq.iol.cz)
IOL system disaster
Internet OnLine, www.iol.cz
***********************************************************************
Vegetables should not operate electronic equipment.
Computer Stupidities, http://rinkworks.com/stupid/
***********************************************************************

Pavel Urban

unread,
Jul 9, 2003, 8:39:58 AM7/9/03
to
Pavel Urban wrote:
> Hello,
>
> we already have this access restrictions in place:
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_unknown_recipient_domain
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
>
> ,but we have decided to further restrict the access to our server by
> allowing only people from our IP pool to authenticate and then send
> mail. But I cannot see an easy way to accomplish this. Can anybody help
> me, please?
>
> We are using postfix-2.0.9 on Linux servers.
>

Oh, I've forgot to say that mynetworks is set to internal servers only,
so they are able to relay.

Ralf Hildebrandt

unread,
Jul 9, 2003, 8:43:07 AM7/9/03
to
* Pavel Urban <urb...@mlp.cz>:

> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_unknown_recipient_domain
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
>
> ,but we have decided to further restrict the access to our server by
> allowing only people from our IP pool to authenticate and then send
> mail. But I cannot see an easy way to accomplish this. Can anybody help
> me, please?

You must use smtpd_restriction_classes for that.

smtpd_restriction_classes = must_authenticate

must_authenticate =
permit_sasl_authenticated
reject_unauth_destination
permit

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
check_client_access hash:/etc/postfix/mynetworks
reject_unauth_destination
permit

in /etc/postfix/mynetworks:

10 must_authenticate
192.168 must_authenticate

--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
If I had a ( for every $ the government spent, what would I have?
Typical unix response: Too many ('s.

Pavel Urban

unread,
Jul 10, 2003, 7:09:02 AM7/10/03
to

Yes! It works! Thanks a lot! The only thing that puzzles me is that I
thought that:

10 must_authenticate
192.168 must_authenticate
* REJECT "Our-nasty-message"

should work, but it doesn't...

Ralf Hildebrandt

unread,
Jul 10, 2003, 7:12:07 AM7/10/03
to
* Pavel Urban <urb...@mlp.cz>:

> >in /etc/postfix/mynetworks:
> >
> >10 must_authenticate
> >192.168 must_authenticate
> >
>
> Yes! It works! Thanks a lot! The only thing that puzzles me is that I
> thought that:
>
> 10 must_authenticate
> 192.168 must_authenticate
> * REJECT "Our-nasty-message"
>
> should work, but it doesn't...

What makes you think it should work? man 5 access does not list "*" as
a valid LHS.

--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155

There is no reason for any individual to have a computer in their home.
--Ken Olson, President of DEC, World Future Society Convention, 1977

Pavel Urban

unread,
Jul 10, 2003, 7:38:58 AM7/10/03
to
>>
>>10 must_authenticate
>>192.168 must_authenticate
>>* REJECT "Our-nasty-message"
>>
>>should work, but it doesn't...
>
>
> What makes you think it should work? man 5 access does not list "*" as
> a valid LHS.
>

I see. Is it somehow possible to specify my custom message for IP
addresses that don't match listed ones, then?

Ralf Hildebrandt

unread,
Jul 10, 2003, 7:41:42 AM7/10/03
to
* Pavel Urban <urb...@mlp.cz>:

> >What makes you think it should work? man 5 access does not list "*" as
> >a valid LHS.
> >
>
> I see. Is it somehow possible to specify my custom message for IP
> addresses that don't match listed ones, then?


You could try a regexp map

--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155

#!/bin/sh
cat <<EOF | dc -e "[lila/sulila%Plusili0<y]sy?si256salyx"
403736150440747681954588245935305944858835839713675044439128476844672\
007875165788798502153167817380873133828163530564
EOF

0 new messages