From: Jeroen Geilman <jeroen <at> adaptr.nl>
Subject:
<http://news.gmane.org/find-root.php?message_id=%3c4EFE2FA1.1050903%40adaptr.nl%3e>Re:
Relay for many local systems, but restrict internet forwarding?
Date: 2011-12-30 21:39:45 GMT (3 days, 18 hours and 26 minutes ago)
>LR> Currently, we have a Postfix V2.4.5 server
>LR>
J.> That is quite old; consider upgrading to at least one of the current 2.8
J.> branches.
Yep. I should have mentioned that a foundational "first upgrade to current
version" will be performed, then "modify the config with new function" will
occur.
>LR> with no local accounts receiving email.
>LR>
>LR> We permit internal, local systems to freely use the system as a relay:
>LR>
>LR> smtpd_client_restrictions = permit_mynetworks, reject
>LR> permit_mynetworks
>LR>
J.> Is this a typo/copy-o, or is this really in your main .cf ?
Yeah, somewhat of a typo - this is the only line that should have made it into
my original post:
smtpd_client_restrictions = permit_mynetworks, reject
>LR> mynetworks = 127.0.0.0/8, 295.283.0.0/16, 10.0.0.0/8
>LR> (internal subnet obviously obfuscated)
>LR>
J.> Obviously not, since those are private IP ranges and hence they do not NEED
J.> obfuscation.
We have a really odd internal environment with a mix of private RFC 1918
addressing AND public, routable IP addresses... so yes, I did intend to
obfuscate our "Class B" sized public subnet in my previous post. I just copied
the line from our main.cf "as is" and changed the public network subnet to the
goofy numbers.
LR>
LR> In our transport_maps file:
LR> ourdomain.org :
LR> .ourdomain.org :
LR> * smtp:[firewall.ourdomain.org]
LR>
LR> ----
LR> Ok, now management has asked us to restrict the flow of outbound email
(i.e.
LR> to the internet) to only selected systems, based on their IP addresses.
LR>
LR> I'm looking for a general suggestion of how I can implement this selective
LR> permit of only certain systems to have emails forwarded out to the
internet,
LR> with the rest of the systems still able to send email internally via the
LR> Postfix-based mail gateway machine.
LR>
J.> You want to selectively allow certain internal source IPs to be able to
send
J.> mail to the outside world ?
Yes.
J.>
J.> smtpd_recipient_restrictions = check_client_access
cidr:/etc/postfix/allow_out, reject_unauth_destination, permit
J.>
J.> and in /etc/postfix/allow_out:
J.>
J.> permitted.IP OK
J.> other.permitted.IP OK
J.> permitted.IP/range OK
J.>
J.> The reject_unauth_destination check AFTER the client access check yielded
no
J.> positive OK or REJECT means that any other internal or external clients can
J.> only send mail to authorized destinations, i.e., recipients/domains postfix
J.> controls mail for.
That is EXACTLY what I was looking for, thank you very much.
LR>
LR> BTW, there is a single network connection on the Postfix box - dual path
LR> isn't feasible at this time.
LR>
LR> Is sender_dependent_relayhost_maps my proper starting point for
investigation
LR> & experimentation?
LR>
J.> Hell no, that's way too complicated.
J.> Why do you have transport_maps at all here ?
J.> if (.)ourdomain.org is in mydestination or virtual_mailbox_domains, it will
J.> never be sent over smtp to begin with.
J.>
J.> -- J.
J.>
Actually, we *are* rewriting inbound email headers... we accept email for two
domains, but our internal email system only uses one of them. I tried to keep
my example simple (my bad), so I showed only one domain.
My "transport" file actually looks like this:
ourdomain.com :
.ourdomain.com :
ourdomain.org smtp:ourdomain.com
.ourdomain.org smtp:ourdomain.com
* smtp:[firewall.ourdomain.com]
"joe_u...@ourdomain.org" mailbox doesn't really exist, but some of our
customers want to address email to Joe U. that way - so we turn
"joe_u...@ourdomain.org" into "joe_u...@ourdomain.com" via Postfix, then ship
it to our internal email system and it ends up properly delivered to Joe User.
---
Thank you for your valuable suggestions.
I (unfortunately) am being currently used like a swiss army knife within my
organization and don't get to spend nearly as much time with Postfix as I'd
like to. We don't seem to need to make many large changes, so I seldom have to
do much configuration creativity. Someone before me had set it up, and I just
kind of inherited it.
Lee Roth
