Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with controlling access using cidr

44 views
Skip to first unread message

Nikolaos Milas

unread,
Feb 7, 2011, 10:15:20 AM2/7/11
to
Hi,

I am using this piece of code to restrict access to some mail aliases
(only clients from the allowed IP addresses are permitted to send email
to the protected email addresses):

smtpd_restriction_classes = allowed_list1
allowed_list1 = check_client_access hash:/etc/postfix/client_acc,reject
smtpd_recipient_restrictions =

hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

where /etc/postfix/protected_destinations is for example:

...
ali...@example.com allowed_list1
...

and /etc/postfix/client_acc is:

10.10.10.11 OK
10.10.10.12 OK
10.10.11.10 OK

The above works fine.

However, when I try to use cidr tables (because I need to define
subnets), it doesn't work correctly:

smtpd_restriction_classes = allowed_list1
allowed_list1= cidr:/etc/postfix/client.cidr,reject
smtpd_recipient_restrictions =

hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

where /etc/postfix/protected_destinations is the same as above
and /etc/postfix/client.cidr is:

10.10.10.0/25 OK
10.10.11.0/24 OK

I've checked that for example:

postmap -q "10.10.11.10" cidr:/etc/postfix/client.cidr

returns OK, so it should be working, but it doesn't; access to
ali...@example.com is denied to client with IP address 10.10.11.10,
although it is included in a subnet in client.cidr file.

What am I doing wrong?

Thanks in advance,
Nick

Installation details (postconf -n) (postfix 2.3.3 on Centos 5.5):

alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_header_rewrite_clients = static:all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = 10.10.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
smtpd_delay_reject = yes
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_restriction_classes = allowed_list1
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/chain-180.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/cert-180.pem
smtpd_tls_key_file = /etc/pki/tls/private/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
ldap:/etc/postfix/ldap-alias-vacation.cf,
ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain
virtual_mailbox_limit = 314572800
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:500

Wietse Venema

unread,
Feb 7, 2011, 11:07:57 AM2/7/11
to
Nikolaos Milas:
> hash:/etc/postfix/protected_destinations

>
> where /etc/postfix/protected_destinations is the same as above
> and /etc/postfix/client.cidr is:
>
> 10.10.10.0/25 OK
> 10.10.11.0/24 OK

As documented you can't use CIDR patterns in a HASH file.

Wietse

Nikolaos Milas

unread,
Feb 7, 2011, 11:29:05 AM2/7/11
to
Thanks Wietse,

Sorry, I didn't notice in the documentation.

Could you please suggest any alternative with using subnetting for this
purpose?

Otherwise, we would have to include a very large number of unique IP
addresses in a hash file for client access control.

Thanks again,
Nick

Wietse Venema

unread,
Feb 7, 2011, 11:40:43 AM2/7/11
to
> where /etc/postfix/protected_destinations is for example:
>
> ...
> ali...@example.com allowed_list1
> ...
...

> However, when I try to use cidr tables (because I need to define
> subnets), it doesn't work correctly:
>
> smtpd_restriction_classes = allowed_list1
> allowed_list1= cidr:/etc/postfix/client.cidr,reject
> smtpd_recipient_restrictions =
>
> hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
>
> where /etc/postfix/protected_destinations is the same as above
> and /etc/postfix/client.cidr is:
>
> 10.10.10.0/25 OK
> 10.10.11.0/24 OK
>
> I've checked that for example:
>
> postmap -q "10.10.11.10" cidr:/etc/postfix/client.cidr
>
> returns OK, so it should be working, but it doesn't; access to
> ali...@example.com is denied to client with IP address 10.10.11.10,
> although it is included in a subnet in client.cidr file.
>
> What am I doing wrong?

You need to show logfile evidence that you are actually sending to
ali...@example.com, from an email client that actually is in the
allowed subnets. If you modify that evidence, then you do so at
your own risk.

Wietse

Brian Evans - Postfix List

unread,
Feb 7, 2011, 12:04:07 PM2/7/11
to
On 2/7/2011 10:15 AM, Nikolaos Milas wrote:
> Hi,
>
> I am using this piece of code to restrict access to some mail aliases
> (only clients from the allowed IP addresses are permitted to send
> email to the protected email addresses):
>
> smtpd_restriction_classes = allowed_list1
> allowed_list1 = check_client_access
> hash:/etc/postfix/client_acc,reject

> allowed_list1= cidr:/etc/postfix/client.cidr,reject

Do you see the HUGE difference between the two restriction classes?

You are missing check_client_access on the second one.

Since it is called from the recipient class, it implies an old,
compatibility interface of "check_recipient_access cidr:mumble" which
will NEVER match.

Just because a map is cidr does not force it to check client.

Brian

Nikolaos Milas

unread,
Feb 7, 2011, 12:22:38 PM2/7/11
to
Sorry Wietse,

I don't understand.

You mean I shouldn't have changed the true domain names / IP addresses
in my email? (I usually do in mailing list posts, it's considered proper
conduct.)

If it's needed, I can provide the actual domain names / networks / files.

Would you please clarify?

Thanks,
Nick

Nikolaos Milas

unread,
Feb 7, 2011, 12:33:23 PM2/7/11
to
Thans Brian,

But, could I have used "allowed_list1= check_client_access
cidr:/etc/postfix/client.cidr,reject" ? Is this feasible?

I understand from Wietse's feedback that I couldn't use CIDR lookups in
a smtpd_restriction_classes statement which is used in a hash table in
smtpd_recipient_restrictions.

What are the alternatives except of course using a hash file with all IP
addresses listed one by one?

Sorry for not having an in-depth knowledge of these issues - just tried
to find my way through using as much documentation as I could.

Thanks,
Nick

Brian Evans - Postfix List

unread,
Feb 7, 2011, 12:37:39 PM2/7/11
to
On 2/7/2011 12:33 PM, Nikolaos Milas wrote:
> Thans Brian,
>
> But, could I have used "allowed_list1= check_client_access
> cidr:/etc/postfix/client.cidr,reject" ? Is this feasible?
>

Yes

0 new messages