smtpd_recipient_restrictions has no effect
Jarrod Neven
It appears that no matter what I do smtpd_recipient_restrictions has no effect. Have set the hash file to an invalid file and created syntax errors and there are no error messages in the log, even set smtpd_recipient_restrictions = reject and it did nothing.
In maser.cf I have added -v -v to the smtpd process and it shows no mention of the value smtpd_recipient_restrictions, looks like it is ignored completely.
Is anything that can prevent smtpd_recipient_restrictions from working? Maybe a compiled option missing?
I have postfix 2.5.1 on centos 64bit
#postconf -n
config_directory = /etc/postfix
mail_owner = postfix
setgid_group = postdrop
smtpd_client_restrictions = check_sender_access hash:/etc/postfix/restricted_senders
smtpd_delay_reject = no
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = local_only
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/restricted_senders
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf <http://mysql_virtual_alias_maps.cf>
virtual_gid_maps = static:12
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_mailbox_domains.cf <http://mysql_virtual_mailbox_domains.cf>
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf <http://mysql_virtual_mailbox_limit_maps.cf>
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf <http://mysql_virtual_mailbox_maps.cf>
virtual_minimum_uid = 101
virtual_transport = dovecot
virtual_uid_maps = static:101
Jeroen Geilman
I am trying to setup restriction to prevent selected users from sending email externally. I have followed the "Restricting what users can send mail to off-site destinations" guide at http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not having any effect.
It appears that no matter what I do smtpd_recipient_restrictions has no effect. Have set the hash file to an invalid file and created syntax errors and there are no error messages in the log, even set smtpd_recipient_restrictions = reject and it did nothing.
In maser.cf I have added -v -v to the smtpd process and it shows no mention of the value smtpd_recipient_restrictions, looks like it is ignored completely.
Is anything that can prevent smtpd_recipient_restrictions from working? Maybe a compiled option missing?
I have postfix 2.5.1 on centos 64bit
#postconf -n
config_directory = /etc/postfix
mail_owner = postfix
setgid_group = postdrop
smtpd_client_restrictions = check_sender_access hash:/etc/postfix/restricted_senders
smtpd_delay_reject = noYou NEED this to be "yes".
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders
Take a look at the UCE cheat sheet (google for it!)
smtpd_restriction_classes = local_onlyI don't know who told you to set this, but - don't. leave options you don't understand well enough alone.
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/restricted_senders
J.
Michael Tokarev
> On 05/30/2010 01:29 PM, Jarrod Neven wrote:
>> #postconf -n
>> config_directory = /etc/postfix
>> mail_owner = postfix
>> setgid_group = postdrop
>> smtpd_client_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
> check_sender_access does not work here; remove it.
It does, with smtpd_delay_reject = yes
>> smtpd_delay_reject = no
> You NEED this to be "yes".
If you NEED this to be "yes" it does not mean everyone
else needs the same. I set it to no in 1998.
>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
> That is not sufficient by a long shot.
> Take a look at the UCE cheat sheet (google for it!)
The term "sufficient" may mean different things depending
on the goals. Depending on the contents of restricted_senders
table it may be pretty well actually, provided that table
has a reasonable default entry.
>> smtpd_restriction_classes = local_only
> I don't know who told you to set this, but - don't. leave options you
> don't understand well enough alone.
He said right at the beginning that he's implementing restriction
classes according to RESTRICTION_CLASS_README, and asked for help
with that.
>> smtpd_sender_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
>
> This is the first instance where sender checks can be applied.
Only with smtpd_delay_reject=yes. But indeed, with smtpd_delay_reject=no
(his setting) it makes little sense.
But continuing your own way, I'd say don't recommend
people anything if you don't understand it... ;)
As of the original question, using "static:reject" for
smtpd_recipient_restrictions will make postfix reject just
everything. If it does not work, well, smtpd uses different
config file, that's the only reasonable explanation which I
can think of. Try running it with -v flag in master.cf.
/mjt
Michael Tokarev
> 30.05.2010 15:58, Jeroen Geilman wrote:
>>> smtpd_client_restrictions = check_sender_access
>>> hash:/etc/postfix/restricted_senders
>> check_sender_access does not work here; remove it.
>
> It does, with smtpd_delay_reject = yes
Typo: it does, with smtpd_delay_reject=NO ofcourse.
/mjt
Noel Jones
> On 05/30/2010 01:29 PM, Jarrod Neven wrote:
>> sending email externally. I have followed the "Restricting what users
>> can send mail to off-site destinations" guide at
>> http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
>> having any effect.
>
> Then you have not put the restrictions in the correct order, or you are
> lacking restrictions that are required to make it work.
>>
>> It appears that no matter what I do smtpd_recipient_restrictions has
>> no effect. Have set the hash file to an invalid file and created
>> syntax errors and there are no error messages in the log, even set
>> smtpd_recipient_restrictions = reject and it did nothing.
>
> smtpd_recipient_restrictions is the LAST restriction class to be
> applied. if mail was accepted before then, REJECTing it here does nothing.
Incorrect. *Each* smtpd_*_restrictions section must evaluate
to OK or permit. Just because you OK a client in
smtpd_client_restrictions doesn't give them a free ride in
smtpd_recipient_restrictions.
So if you're going to speculate, pick something better.
For a better guess, we need to see log entries of the transaction.
>>
>> In maser.cf I have added -v -v to the smtpd process and it shows no
>> mention of the value smtpd_recipient_restrictions, looks like it is
>> ignored completely.
>>
>> Is anything that can prevent smtpd_recipient_restrictions from
>> working? Maybe a compiled option missing?
There are no compile options that will affect this. Show
non-verbose postfix logging of a transaction you feel is
handled incorrectly.
>>
>> I have postfix 2.5.1 on centos 64bit
>>
>> #postconf -n
>> config_directory = /etc/postfix
>> mail_owner = postfix
>> setgid_group = postdrop
>> smtpd_client_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
> check_sender_access does not work here; remove it.
It does work here, with the default smtpd_delay_reject = yes.
But the reason to remove it is because you've duplicated the
same check in several places; no need to perform a single
check more than once.
>> smtpd_delay_reject = no
> You NEED this to be "yes".
The default and recommended value is yes. Postfix
restrictions behave differently if you set this to "no"; don't
change it unless you understand the differences and why you
might not want to change it.
This may be the OPs problem. Or maybe the OP is submitting
mail via sendmail(1) rather than via SMTP. Logs will show.
>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
This restriction is incomplete.
> That is not sufficient by a long shot.
> Take a look at the UCE cheat sheet (google for it!)
This critique is also incomplete. Show or quote postfix docs
supporting your assertions, such as:
smtpd_recipient_restrictions must default to reject or defer
so you're not an open relay, please see
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
>
>> smtpd_restriction_classes = local_only
Looks OK.
> I don't know who told you to set this, but - don't. leave options you
> don't understand well enough alone.
I expect the OP is following the RESTRICTION_CLASS_README
examples, as he stated.
>
>> smtpd_sender_restrictions = check_sender_access
>> hash:/etc/postfix/restricted_senders
>
> This is the first instance where sender checks can be applied.
... unless you use the default/recommended smtpd_delay_reject=yes.
-- Noel Jones
Jeroen Geilman
> On 5/30/2010 6:58 AM, Jeroen Geilman wrote:
>> On 05/30/2010 01:29 PM, Jarrod Neven wrote:
>>> I am trying to setup restriction to prevent selected users from
>>> sending email externally. I have followed the "Restricting what users
>>> can send mail to off-site destinations" guide at
>>> http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
>>> having any effect.
>>
>> Then you have not put the restrictions in the correct order, or you are
>> lacking restrictions that are required to make it work.
>>>
>>> It appears that no matter what I do smtpd_recipient_restrictions has
>>> no effect. Have set the hash file to an invalid file and created
>>> syntax errors and there are no error messages in the log, even set
>>> smtpd_recipient_restrictions = reject and it did nothing.
>>
>> smtpd_recipient_restrictions is the LAST restriction class to be
>> applied. if mail was accepted before then, REJECTing it here does
>> nothing.
>
> Incorrect. *Each* smtpd_*_restrictions section must evaluate to OK or
> permit. Just because you OK a client in smtpd_client_restrictions
> doesn't give them a free ride in smtpd_recipient_restrictions.
Bah. This trips me up every time.
>
> So if you're going to speculate, pick something better.
It wasn't speculation. It was knee-jerk.
>
> For a better guess, we need to see log entries of the transaction.
That's what I should have asked.
J.
mouss
> I am trying to setup restriction to prevent selected users from sending
> email externally. I have followed the "Restricting what users can send
> mail to off-site destinations" guide at
> http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
> having any effect.
>
> effect. Have set the hash file to an invalid file and created syntax
> errors and there are no error messages in the log, even set
> smtpd_recipient_restrictions = reject and it did nothing.
>
> mention of the value smtpd_recipient_restrictions, looks like it is
> ignored completely.
>
> Is anything that can prevent smtpd_recipient_restrictions from working?
> Maybe a compiled option missing?
>
>
> #postconf -n
> config_directory = /etc/postfix
> mail_owner = postfix
> setgid_group = postdrop
> smtpd_client_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders
this is not recommended. when you use it, you are on your own.
> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders
this doesn't work. you should see a warning in your logs.
if it worked, you'd be an open relay unless your check_sender_access
rejects all mail.
anyway, look at your master.cf. you may have overriden your smtpd
restrictions there...
> smtpd_restriction_classes = local_only
> smtpd_sender_restrictions = check_sender_access
> hash:/etc/postfix/restricted_senders
Jarrod Neven
Good thinking, from my little understanding the master.cf is ok
# grep -v '^ *\(#.*\)\?$' /etc/postfix/master.cf
smtp inet n - n - - smtpd -v - v
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp -v -v
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d
${recipient}
I am aware that this configuration will open the postfix for spam usage, ATM
the focus is to limit who can send external emails.
> As of the original question, using "static:reject" for
> smtpd_recipient_restrictions will make postfix reject just
> everything.
As suggested by Michael Tokarev I have changed the config to reject
everything yet I was still able to send mail. Here is the final config:
#postconf -n
config_directory = /etc/postfix
debug_peer_level = 9
disable_vrfy_command = yes
mail_owner = postfix
setgid_group = postdrop
smtp_tls_loglevel = 9
smtpd_client_port_logging = yes
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
smtpd_data_restrictions = reject_unauth_pipelining,permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = static:reject
smtpd_restriction_classes = local_only
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
mysql:$config_directory/mysql_virtual_mailbox_domains.cf
virtual_mailbox_limit_maps =
mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot
virtual_uid_maps = static:101
The log file for this can be seen here:
http://engage.neven.info/postfix-static.txt
Noel Jones:
> There are no compile options that will affect this. Show
> non-verbose postfix logging of a transaction you feel is
> handled incorrectly.
Using this config:
# postconf -n
config_directory = /etc/postfix
debug_peer_level = 9
disable_vrfy_command = yes
mail_owner = postfix
setgid_group = postdrop
smtp_tls_loglevel = 9
smtpd_client_port_logging = yes
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
smtpd_data_restrictions = reject_unauth_pipelining,permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_restriction_classes = local_only
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
mysql:$config_directory/mysql_virtual_mailbox_domains.cf
virtual_mailbox_limit_maps =
mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_transport = dovecot
virtual_uid_maps = static:101
Here is the verbose logging
http://engage.neven.info/postfix-check_sender_access.txt
The non verbose version:
ay 31 22:03:50 DKPADMMAIL1 postfix/postfix-script[3329]: starting the
Postfix mail system
May 31 22:03:50 DKPADMMAIL1 postfix/master[3330]: daemon started -- version
2.5.1, configuration /etc/postfix
May 31 22:04:30 DKPADMMAIL1 postfix/pickup[3332]: 39EBD5D806B: uid=48
from=<te...@corp.letsengage.com>
May 31 22:04:30 DKPADMMAIL1 postfix/cleanup[3338]: 39EBD5D806B:
message-id=<29bd4605116b02e27bcddc77b33b598b.squirrel@dkpadmmail1>
May 31 22:04:30 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B:
from=<te...@corp.letsengage.com>, size=677, nrcpt=1 (queue active)
May 31 22:04:34 DKPADMMAIL1 postfix/smtp[3343]: 39EBD5D806B:
to=<####.ne...@gmail.com>,
relay=gmail-smtp-in.l.google.com[74.125.53.27]:25, delay=4.2,
delays=0.11/0.01/2.6/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1275307474
k17si9893297rvh.45)
May 31 22:04:34 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B: removed
Michael Orlitzky
> The non verbose version:
> ay 31 22:03:50 DKPADMMAIL1 postfix/postfix-script[3329]: starting the
> Postfix mail system
> May 31 22:03:50 DKPADMMAIL1 postfix/master[3330]: daemon started -- version
> 2.5.1, configuration /etc/postfix
> May 31 22:04:30 DKPADMMAIL1 postfix/pickup[3332]: 39EBD5D806B: uid=48
> from=<te...@corp.letsengage.com>
> May 31 22:04:30 DKPADMMAIL1 postfix/cleanup[3338]: 39EBD5D806B:
> message-id=<29bd4605116b02e27bcddc77b33b598b.squirrel@dkpadmmail1>
> May 31 22:04:30 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B:
> from=<te...@corp.letsengage.com>, size=677, nrcpt=1 (queue active)
> May 31 22:04:34 DKPADMMAIL1 postfix/smtp[3343]: 39EBD5D806B:
> to=<####.ne...@gmail.com>,
> relay=gmail-smtp-in.l.google.com[74.125.53.27]:25, delay=4.2,
> delays=0.11/0.01/2.6/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1275307474
> k17si9893297rvh.45)
> May 31 22:04:34 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B: removed
smtpd_foo_restrictions only apply to mail received by smtpd (e.g.
somebody connects on port 25 and begins mashing the keyboard). When you
send mail via the sendmail command, the Postfix pickup daemon steals it
and feeds it into cleanup directly.
Noel Jones
> ay 31 22:03:50 DKPADMMAIL1 postfix/postfix-script[3329]: starting the
> Postfix mail system
> May 31 22:03:50 DKPADMMAIL1 postfix/master[3330]: daemon started -- version
> 2.5.1, configuration /etc/postfix
> May 31 22:04:30 DKPADMMAIL1 postfix/pickup[3332]: 39EBD5D806B: uid=48
> from=<te...@corp.letsengage.com>
> May 31 22:04:30 DKPADMMAIL1 postfix/cleanup[3338]: 39EBD5D806B:
> message-id=<29bd4605116b02e27bcddc77b33b598b.squirrel@dkpadmmail1>
> May 31 22:04:30 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B:
> from=<te...@corp.letsengage.com>, size=677, nrcpt=1 (queue active)
> May 31 22:04:34 DKPADMMAIL1 postfix/smtp[3343]: 39EBD5D806B:
> to=<####.ne...@gmail.com>,
> relay=gmail-smtp-in.l.google.com[74.125.53.27]:25, delay=4.2,
> delays=0.11/0.01/2.6/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1275307474
> k17si9893297rvh.45)
> May 31 22:04:34 DKPADMMAIL1 postfix/qmgr[3331]: 39EBD5D806B: removed
This mail was not submitted via SMTP, but rather via the local
sendmail(1) command.
smtpd_*_restrictions only apply to mail submitted via SMTP.
-- Noel Jones
mouss
>> a[snip]
> http://engage.neven.info/postfix-static.txt
>
sigh. This is mail submitted via the sendmail command. such mail is not
subject to smtpd_* parameters. smtpd_* parameters only apply to smtpd
and derived processes.
The sendmail command is used by many programs (including cron, ...). and
it is not supposed to fail.
This is the reason why we ask for logs at the first time.
now this is general:
- do not post verbose logs unless you are explicitely asked to do so
- do put your logs in the message (not on a web site) the first time you
ask (do not say "if you think you need logs blah blah". we need nothing.
if you have a problem, a question, ... it is your duty to make it easy
for others to help you. if that's hard, send your check and we'll do the
work for you).
> [snip]