Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Protecting internal email distribution lists

601 views
Skip to first unread message

Shelley Waltz

unread,
Jan 5, 2006, 10:35:32 AM1/5/06
to
I just read the FAQ regarding protecting internal email distribution
lists and this is just what I need. Here is the configuration
example from the FAQ ...

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations
..the usual stuff...

smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders,
reject

/etc/postfix/protected_destinations:
a...@my.domain insiders_only
a...@my.hostname insiders_only

/etc/postfix/insiders:
my.domain OK
another.domain OK


This will allow me to restrict the usage of specific internal aliases to
specific domains. My question is ...
I wish users(my users) to be able to use these aliases when at home or
traveling. Can I add an option to "insiders_only" which would also allow
those who have SMTP authenticated to use the alias?


I am using postfix-2.0.18-1.pcre.sasl2.tls.rhel3

thanks,
Shelley Waltz


{ Shelley Waltz;
Center for Advanced Biotechnology and Medicine;
Rutgers University/UMDNJ;
679 Hoes Lane;
Piscataway, NJ 08854;
732 235 3346 }


Sandy Drobic

unread,
Jan 5, 2006, 11:51:46 AM1/5/06
to
Shelley Waltz wrote:
> I just read the FAQ regarding protecting internal email distribution
> lists and this is just what I need. Here is the configuration
> example from the FAQ ...
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> hash:/etc/postfix/protected_destinations
> ..the usual stuff...

If "..the usual stuff..." is something like...
permit_mynetworks, reject_unauth_destination,...

...then you have a wonderful open relay. Do not return "OK" when you check
a value that the sender can falsify like the sender address, especially if
you use that check before reject_unauth_destination.

Why don't you just use

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/protected_destinations,
...

> smtpd_restriction_classes = insiders_only
> insiders_only = check_sender_access hash:/etc/postfix/insiders,
> reject
>
> /etc/postfix/protected_destinations:
> a...@my.domain insiders_only
> a...@my.hostname insiders_only

a...@my.domain REJECT


>
> /etc/postfix/insiders:
> my.domain OK
> another.domain OK

Not needed any more.

>
> This will allow me to restrict the usage of specific internal aliases to
> specific domains. My question is ...
> I wish users(my users) to be able to use these aliases when at home or
> traveling. Can I add an option to "insiders_only" which would also allow
> those who have SMTP authenticated to use the alias?

Just put in permit_sasl_authenticated before you check for the recipient
address in the order of your restrictions.

Sandy

Shelley Waltz

unread,
Jan 5, 2006, 12:55:33 PM1/5/06
to
Thanks. I am not an open relay, the example was from the FAQ.
I currently have ...
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

If I add
check_recipient_access hash:/etc/postfix/protected_destinations

as the last check, and then in
/etc/postfix/protected_destinations
a...@my.domain REJECT

This will work in rejecting access to the alias "all@mydomain" unless one
of the three other rules issued "OK" and thus never got to
check_recipient_access?

If so, what if I wish an exception, ie, to allow an outside, unauthenticated
sender to use the all alias. Can I add the exception in
protected_destinations before the REJECT?

thanks
Shelley

mouss

unread,
Jan 5, 2006, 1:35:05 PM1/5/06
to
Shelley Waltz a écrit :

> I just read the FAQ regarding protecting internal email distribution
> lists and this is just what I need.

This has come up at least twice very recently.

Here is the configuration
> example from the FAQ ...
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> hash:/etc/postfix/protected_destinations
> ..the usual stuff...
>
> smtpd_restriction_classes = insiders_only
> insiders_only = check_sender_access hash:/etc/postfix/insiders,
> reject
>
> /etc/postfix/protected_destinations:
> a...@my.domain insiders_only
> a...@my.hostname insiders_only
>
> /etc/postfix/insiders:
> my.domain OK
> another.domain OK
>
>

In short, anybody claiming to be foo AT my.domain is able to send to all
AT my.domain.


BTW. Please don't use domains that belong to other people. my.domain
doesn't belong to you. use example.[com|org|net], .example, .invalid,
... There is even an RFC for that.

> This will allow me to restrict the usage of specific internal aliases to
> specific domains. My question is ...
> I wish users(my users) to be able to use these aliases when at home or
> traveling. Can I add an option to "insiders_only" which would also allow
> those who have SMTP authenticated to use the alias?
>

smtpd_recipient_restrictions =
#auth users can send to anybody
permit_sals_authenticated
#internal users can send to anybody
permit_mynetworks
#no other clients can relay
reject_unauth_destination
#some addresses are local only
check_recipient_access hash:/etc/postfix/local_only
...


and in local_only, put
a...@example.com REJECT
...

No need for classes.

I think the doc should be fixed as it seems to encourage people to go
for what they don't really need.

Sandy Drobic

unread,
Jan 5, 2006, 1:45:18 PM1/5/06
to
Shelley Waltz wrote:

Please don't top post, it makes it difficult to find out what you are
refering to.

> Thanks. I am not an open relay, the example was from the FAQ.

Which faq? I only see an example that uses "permit_mynetworks,reject" as
the restriction for the email address. That is a bit different from your
example.

> I currently have ...
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination

That's okay for the beginning.

> If I add
> check_recipient_access hash:/etc/postfix/protected_destinations
>
> as the last check, and then in
> /etc/postfix/protected_destinations
> a...@my.domain REJECT
>
> This will work in rejecting access to the alias "all@mydomain" unless one
> of the three other rules issued "OK" and thus never got to
> check_recipient_access?

Correct.

> If so, what if I wish an exception, ie, to allow an outside, unauthenticated
> sender to use the all alias. Can I add the exception in
> protected_destinations before the REJECT?

Not directly. Your restriction would check for the recipient in the
database protected_destinations. In order to whitelist a sender you have
to check for the sender address before your recipient check.

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_whitelist
check_recipient_access hash/etc/postfix/protected_destinations

/etc/postfix/sender_whitelist:
whitelisted.example.com OK

It's safe to return "OK" as a result here because it's placed after
reject_unauth_destination, so you won't turn into an open relay. In fact,
you NEED to return "OK", not "DUNNO", because you don't want to use the
restrictions after the whitelist check for the whitelisted senders.

If possible do not user check_sender_access, use check_client_access which
checks for the DNS name/ip address of the sending client.

Sandy

Stephen Cheboi

unread,
Jan 13, 2006, 1:32:17 AM1/13/06
to
Team,
I could be repeating this ,but i still have a problem.
I don't fully understand my main.cf file correctly since am green in Postfix.
What is happening is that external spam mails are send to a mailing list of
all staff, which i want to reject.
The suggestions mentioned in the mail appears it will work for me if my
smtp_recipient_restrictions are correctly put.

Below is what i have in my main.cf file.

smtpd_recipient_restrictions =
check_sender_access ldap:ldapSenderAccess,
ldap:ldapRecipientAccess, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
....
smtpd_restriction_classes =
local_sender_only, local_recipient_only
local_sender_only = check_recipient_access ldap:ldapLocalDomains,
reject
local_recipient_only = check_sender_access ldap:ldapLocalDomains,
reject

What i don't understand is the ldap syntax. Can someone tell me how to
simply this?
Or do i include the entire main.cf file for one to have a look at it and
tell me where to make this correction?

The following restriction line is also commented, is that a problem?

#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unknown_client

Kindly assist and sorry for the bother.

Thank you,
Stephen


At 09:45 PM 1/5/06, Sandy Drobic wrote:
>Shelley Waltz wrote:
>
>Please don't top post, it makes it difficult to find out what you are
>refering to.
>

>>Thanks. I am not an open relay, the example was from the FAQ.
>

>Which faq? I only see an example that uses "permit_mynetworks,reject" as
>the restriction for the email address. That is a bit different from your
>example.
>

>>I currently have ...
>>smtpd_recipient_restrictions =
>> permit_sasl_authenticated,
>> permit_mynetworks,
>> reject_unauth_destination
>

>That's okay for the beginning.
>

>>If I add
>> check_recipient_access hash:/etc/postfix/protected_destinations
>>as the last check, and then in
>>/etc/postfix/protected_destinations
>>a...@my.domain REJECT
>>This will work in rejecting access to the alias "all@mydomain" unless one
>>of the three other rules issued "OK" and thus never got to
>>check_recipient_access?
>

>Correct.


>
>>If so, what if I wish an exception, ie, to allow an outside, unauthenticated
>>sender to use the all alias. Can I add the exception in
>>protected_destinations before the REJECT?
>

Sandy Drobic

unread,
Jan 13, 2006, 4:51:56 PM1/13/06
to
Stephen Cheboi wrote:

Please do no hijack threads, start a new one.
Please do not top post.
Please follow the advice in the greeting mail when you registered for this
mailing list: "postconf -n", logs that show the problem.

> Team,
> I could be repeating this ,but i still have a problem.
> I don't fully understand my main.cf file correctly since am green in
> Postfix.
> What is happening is that external spam mails are send to a mailing list
> of all staff, which i want to reject.
> The suggestions mentioned in the mail appears it will work for me if my
> smtp_recipient_restrictions are correctly put.

If you want to disable access to certain recipients (your list addresses
for internal use only) reject it after you accept mail from your internal
clients.

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,

check_recipient_access hash/etc/postfix/recipient_access
....

/etc/postfix/recipient_access:
inte...@example.com REJECT

I assume in this example that your clients either authenticate themselves
with sasl or do no need to authenticate because their IPs are in $mynetworks.


>
> Below is what i have in my main.cf file.

Output of "postconf -n" is prefered.

Sandy

0 new messages