Re: How to ensure that either FROM or TO is local
Thx for the reply. While it was intended, no doubt, to be very wrong, it failed. Lacking a valid CIDR expression, that only matches the single IPv4 address of 0.0.0.0, which, having special meaning in networking, is unroutable. A setting of equivalent functionality is mynetworks =. The OP would be well advised to review the BASIC_CONFIGURATION_README, listing in $mynetworks the client networks which should be allowed to relay. I read all the postfix docs I could find... If the OP does not wish to allow any to relay on the basis of IP address unless using a local sender, as the $SUBJECT suggests, the solution is pretty simple. main.cf : mynetworks = real.IP.add.ress/CIDR[, ...] smtpd_recipient_restrictions = reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination[, ...] This did not seem to work as expected. don't know if using smtpd_reject_unlisted_sender would prevent anything going wrong here, but this is likely to make you an open relay. If the wrong thing had been done correctly ;) I think this would have worked too, that is, if I understood the OP's goal correctly. I'm using a virtual transport for all my mail. With local mail I meant all mail that goes through this transport. To verify the 'local' users I use LDAP. It contains all my users and their email addresses. So basically, what my 'ideal' configuration would offer If someone from a none private IP (or localhost) tries to send a mail it is required to have a recipient that is part of the service that offers the virtual transport (this way internal people can send to each other and to people outside the interna; environment. When someone from a public IP tries to send a mail it is required that the sender is an unkown address and the recipient is known. This (I believe) can be resolved by using either two instances. or some sort of policy daemon. What I currently don't know is how I would go about and resolve this. I hope I have clarified any euhh... unclarities Thanks a lot! Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: How to ensure that either FROM or TO is local
Questions similar to yours come up fairly often, I'm not sure why noone's jumped in yet with a rough solution that will do what you want. What you've mentioned you want: How do I ensure that my mail server can only send mails either to or from mydomains? Consider that there are three situations you want to worry about: 1. Postfix receiving a mail for final delivery as the destination (local delivery) 2. Postfix receiving a mail for delivery to somewhere else on the internet (relaying) 3. Postfix receiving a mail submitted locally, destined for somewhere else on the internet (this is a special case of (2) because local is usually privileged) * Assume we ignore (2) because Postfix will not act as an anonymous relay by default. * Postfix will only accept mail for local domains, so (1) works as you expect. Accepting mail for remote domains would be considered relaying * Postfix (by default) *will* accept mail and relay it to remote domains, if the client is local. That covers case (3) I *think* the short, correct answer is to use a policy server: http://www.postfix.org/SMTPD_POLICY_README.html Another alternative may be restriction classes, but that can get a bit messy. I personally wouldn't trust myself to get this right, so I have no examples of my own to offer. http://www.postfix.org/RESTRICTION_CLASS_README.html When I add the following to main.cf, this should perform the check, so only people I know are allowed to send through postfix and they can send anywhere. This should also prevent anyone to send mail from an address that isn't one of mine. smtpd_reject_unlisted_recipient = no smtpd_reject_unlisted_sender = yes smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtpd_sender_restrictions = I've not used the smtpd_reject_unlisted_* options before myself, but I suspect that won't work as you expect. Unfortunately, it does not work. When you report that something doesn't work, it's best to provide log entries that support what you're saying. Basically, it's most helpful if you: 1. Describe what you expected to happen 2. Describe what you saw actually happened. 3. Show the log entries so we can see what happened. The output of postconf -n snip mydestination = This is likely to be wrong. I can see you're using virtual mailboxes, but not having any local domains at all is odd. mynetworks = 0.0.0.0 This is *definitely* very wrong! smtpd_recipient_restrictions will allow ANY client in mynetworks to relay mail to any destination. I don't know if using smtpd_reject_unlisted_sender would prevent anything going wrong here, but this is likely to make you an open relay.
Re: How to ensure that either FROM or TO is local
I *think* the short, correct answer is to use a policy server: http://www.postfix.org/SMTPD_POLICY_README.html I will look into those then I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do not see how I can use this to solve my problem. Perhaps I am missing something... Any help is greatly appreciated Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: How to ensure that either FROM or TO is local
Serge Fonville: I *think* the short, correct answer is to use a policy server: http://www.postfix.org/SMTPD_POLICY_README.html I will look into those then I read into http://www.postfix.org/SMTPD_POLICY_README.html, but I do not see how I can use this to solve my problem. Perhaps I am missing something... Any help is greatly appreciated The policy server can reject mail from a remote network with a local sender address. Isn't that what you want? As an added bonus, it can also reject mail from a local network with a remote sender address. This can help to stop outbound spam from zombie-infested PCs. Wietse
Re: How to ensure that either FROM or TO is local
Wietse, Thx for the reply The policy server can reject mail from a remote network with a local sender address. Isn't that what you want? As an added bonus, it can also reject mail from a local network with a remote sender address. This can help to stop outbound spam from zombie-infested PCs. Yes exactly. I read into the page again and it seems to be suitable for my purpose. Unfortunately it also seems to mean I have to write my own policy server.. At least I have a starting point from now on. Thanks a lot for the help! Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: How to ensure that either FROM or TO is local
On Sun, Jan 03, 2010 at 09:58:15PM +1100, Barney Desmond wrote: mynetworks = 0.0.0.0 This is *definitely* very wrong! smtpd_recipient_restrictions will allow ANY client in mynetworks to relay mail to any destination. I While it was intended, no doubt, to be very wrong, it failed. Lacking a valid CIDR expression, that only matches the single IPv4 address of 0.0.0.0, which, having special meaning in networking, is unroutable. A setting of equivalent functionality is mynetworks =. The OP would be well advised to review the BASIC_CONFIGURATION_README, listing in $mynetworks the client networks which should be allowed to relay. If the OP does not wish to allow any to relay on the basis of IP address unless using a local sender, as the $SUBJECT suggests, the solution is pretty simple. main.cf : mynetworks = real.IP.add.ress/CIDR[, ...] smtpd_recipient_restrictions = reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination[, ...] don't know if using smtpd_reject_unlisted_sender would prevent anything going wrong here, but this is likely to make you an open relay. If the wrong thing had been done correctly ;) I think this would have worked too, that is, if I understood the OP's goal correctly. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: How to ensure that either FROM or TO is local
Postfix, by default, only queues mail that is destined for that system (mydestination or virtual settings), included in mynetworks, or listed in relay_domains This only changes if *you* tell Postfix not to. The config below does not show any such weakness. Hmmm, so basically there is no way to enforce that mail sent through the mail server will always be either from or to one of my domains :-( Would it be possible to use sender verification to match negatively? That way I could run two instances of postfix and have one check sender and the other recipient If it comes from the internal interface at lease sender should be local if it comes from the external interface at least recipient should be local Not sure if this is possible, but it would definitely solve it, at least I think I believe I have the solution. Unfortunately no way to implement it :-( When I add the following to main.cf, this should perform the check, so only people I know are allowed to send through postfix and they can send anywhere. This should also prevent anyone to send mail from an address that isn't one of mine. smtpd_reject_unlisted_recipient = no smtpd_reject_unlisted_sender = yes smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtpd_sender_restrictions = Unfortunately, it does not work. The output of postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 mydestination = myhostname = server01.fonville-it.nl mynetworks = 0.0.0.0 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_mailbox_domains = mail.fonville-it.nl, fonville-it.nl virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox-maps.cf virtual_transport = zarafa What have I done wrong? Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
How to ensure that either FROM or TO is local
Hi, I'm trying to install a postfix server and everything seemed to work ok. Until I tried to mail from a remote domain to a remote domain, but from 'telnet localhost 25' I understand (suspect) this works because 127.0.0.0/8 is in mynetworks. How do I ensure that my mail server can only send mails either to or from mydomains? postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_transport = zarafa mydestination = mydomainformail.org, mailserver.mydomainformail.org mydomain = mydomainformail.org myhostname = mailserver.mydomainformail.org mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = Infracom Mail Server smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf Thanks in advance. Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: How to ensure that either FROM or TO is local
On 12/30/2009 11:21 AM, Serge Fonville wrote: Hi, I'm trying to install a postfix server and everything seemed to work ok. Until I tried to mail from a remote domain to a remote domain, but from 'telnet localhost 25' I understand (suspect) this works because 127.0.0.0/8 is in mynetworks. How do I ensure that my mail server can only send mails either to or from mydomains? Postfix, by default, only queues mail that is destined for that system (mydestination or virtual settings), included in mynetworks, or listed in relay_domains This only changes if *you* tell Postfix not to. The config below does not follow this. There are open relay test websites you can verify this at. postconf -n smtpd_banner = Infracom Mail Server Don't change this unless you have a really good reason. Some functionality can be lost by those connecting to you and the current line breaks the SMTP standard. smtpd_use_tls = yes This is deprecated. Newer versions of Postfix should use smtpd_tls_security_level = may
Re: How to ensure that either FROM or TO is local
Thx for the reply. postconf -n smtpd_banner = Infracom Mail Server Don't change this unless you have a really good reason. Some functionality can be lost by those connecting to you and the current line breaks the SMTP standard. Ok, thx I'll revert this to the default then ;-) There are open relay test websites you can verify this at. The mail server isn't public currently, but thx for the reminder :-) Postfix, by default, only queues mail that is destined for that system (mydestination or virtual settings), included in mynetworks, or listed in relay_domains This only changes if *you* tell Postfix not to. The config below does not show any such weakness. Hmmm, so basically there is no way to enforce that mail sent through the mail server will always be either from or to one of my domains :-( Not really what I was hoping for, but thx for clarifying this Brian! Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: How to ensure that either FROM or TO is local
I was wondering... smtpd_banner = Infracom Mail Server Don't change this unless you have a really good reason. Some functionality can be lost by those connecting to you and the current line breaks the SMTP standard. Ok, thx I'll revert this to the default then ;-) There are open relay test websites you can verify this at. The mail server isn't public currently, but thx for the reminder :-) Postfix, by default, only queues mail that is destined for that system (mydestination or virtual settings), included in mynetworks, or listed in relay_domains This only changes if *you* tell Postfix not to. The config below does not show any such weakness. Hmmm, so basically there is no way to enforce that mail sent through the mail server will always be either from or to one of my domains :-( Would it be possible to use sender verification to match negatively? That way I could run two instances of postfix and have one check sender and the other recipient If it comes from the internal interface at lease sender should be local if it comes from the external interface at least recipient should be local Not sure if this is possible, but it would definitely solve it, at least I think Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en