Postfix restricting local mail locally.
I am trying to make it so that postfix takes specific actions when spam "from" my domian externally arrives. smtpd_recipient_restrictions / reject_unknown_... looked prommising but I dont see how to work it with the information given. When a new message arrives with [from: somt...@mydomain.com] [to:somt...@mydomain.com] and sender ip address does not = $mynetworks i want to send connecting pc's ip to external scripts if possible and the least reject the message. reverse dns lookup from my internal dns server would work as well. eventually I may be interested in having tls or something authenticate external users to send from mydomian but that is not a big concern right now. If need be vpn will solve that need. any suggestions are appriciated. If I missed a how-to or something I appriciate the links. I dont always figure the best key words to find these things. Kendrick
Re: Postfix restricting local mail locally.
On 06/04/2011 02:50 AM, Kendrick wrote: I am trying to make it so that postfix takes specific actions when spam "from" my domian externally arrives. smtpd_recipient_restrictions / reject_unknown_... looked prommising but I dont see how to work it with the information given. When a new message arrives with [from: somt...@mydomain.com] [to:somt...@mydomain.com] and sender ip address does not = $mynetworks i want to send connecting pc's ip to external scripts if possible and the least reject the message. reverse dns lookup from my internal dns server would work as well. eventually I may be interested in having tls or something authenticate external users to send from mydomian but that is not a big concern right now. If need be vpn will solve that need. any suggestions are appriciated. If I missed a how-to or something I appriciate the links. I dont always figure the best key words to find these things. In main.cf: smtpd_recipient_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/my_own_domains, reject_unauth_destination and in my_own_domains: techsoft3d.com REJECT etc. Or one of the other possible actions; there are quite a few, read the man page for details: http://www.postfix.org/access.5.html -- J.
Re: Postfix restricting local mail locally.
Le 04/06/2011 04:06, Jeroen Geilman a écrit : > On 06/04/2011 02:50 AM, Kendrick wrote: >> I am trying to make it so that postfix takes specific actions when >> spam "from" my domian externally arrives. >> smtpd_recipient_restrictions / reject_unknown_... looked prommising >> but I dont see how to work it with the information given. >> >> When a new message arrives with [from: somt...@mydomain.com] >> [to:somt...@mydomain.com] and sender ip address does not = $mynetworks >> i want to send connecting pc's ip to external scripts if possible and >> the least reject the message. >> >> reverse dns lookup from my internal dns server would work as well. >> eventually I may be interested in having tls or something authenticate >> external users to send from mydomian but that is not a big concern >> right now. If need be vpn will solve that need. >> >> any suggestions are appriciated. If I missed a how-to or something I >> appriciate the links. I dont always figure the best key words to find >> these things. > > In main.cf: > > smtpd_recipient_restrictions = permit_mynetworks, > check_sender_access hash:/etc/postfix/my_own_domains, > reject_unauth_destination > Using check_*_access before reject_unauth_destination is discouraged. it may (accidentally) lead to open relay should "someone" add an entry that returns OK. better use: smtpd_recipient_restrictions = permit_sasl_authenticated permit_myneyworks reject_unauth_destination check_sender_access hash:/etc/postfix/access_sender == access_sender: techsoft3d.com REJECT .techsoft3d.com REJECT Note to OP: this rejects mail with a sender in your domain unless it comes from mynetworks or is authenticated (SASL). a better setup is to separate inbound mail service (MX) and submission service (MSA), for example by using port 587 for submission. then you wouldn't need to create exception ("reject unless"). > and in my_own_domains: > > techsoft3d.com REJECT > > etc. > > Or one of the other possible actions; there are quite a few, read the > man page for details: > > http://www.postfix.org/access.5.html > he could start with http://www.postfix.org/SMTPD_ACCESS_README.html http://www.postfix.org/RESTRICTION_CLASS_README.html
Re: Postfix restricting local mail locally.
On 06/04/2011 05:06 AM, mouss wrote: Using check_*_access before reject_unauth_destination is discouraged. it may (accidentally) lead to open relay should "someone" add an entry that returns OK. better use: smtpd_recipient_restrictions = permit_sasl_authenticated permit_myneyworks reject_unauth_destination check_sender_access hash:/etc/postfix/access_sender == access_sender: techsoft3d.com REJECT .techsoft3d.com REJECT That makes sense now that I see an example. Lists of options like the documentation tend to just confuse me. Note to OP: this rejects mail with a sender in your domain unless it comes from mynetworks or is authenticated (SASL). a better setup is to separate inbound mail service (MX) and submission service (MSA), for example by using port 587 for submission. then you wouldn't need to create exception ("reject unless"). he could start with http://www.postfix.org/SMTPD_ACCESS_README.html http://www.postfix.org/RESTRICTION_CLASS_README.html If i understand this right. for the mx side I could put smtpd_recipient_restrictions = permit_sasl_authenticated or should it be smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access_sender == access_sender: techsoft3d.com REJECT .techsoft3d.com REJECT and on the internal side it would accept all with no restrictions? the way the documentation is worded it confuses me which one would apply here. does smtpd_sender... = out going mail or the from: box? thanks Kendrick
Re: Postfix restricting local mail locally.
On Sat, Jun 04, 2011 at 10:25:37AM -0400, Kendrick wrote: > smtpd_recipient_restrictions = > permit_sasl_authenticated No, this won't work, rather: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/access_sender # Optional final permit, just to make it clear permit > or should it be > > smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/access_sender > > == access_sender: > techsoft3d.com REJECT > .techsoft3d.com REJECT > > > and on the internal side it would accept all with no restrictions? You list authorized clients in "mynetworks". -- Viktor.
Re: Postfix restricting local mail locally.
Le 04/06/2011 16:25, Kendrick a écrit : > On 06/04/2011 05:06 AM, mouss wrote: >> Using check_*_access before reject_unauth_destination is discouraged. it >> may (accidentally) lead to open relay should "someone" add an entry that >> returns OK. >> >> better use: >> >> smtpd_recipient_restrictions = >> permit_sasl_authenticated >> permit_myneyworks >> reject_unauth_destination >> check_sender_access hash:/etc/postfix/access_sender >> >> == access_sender: >> techsoft3d.com REJECT >> .techsoft3d.com REJECT >> > That makes sense now that I see an example. Lists of options like the > documentation tend to just confuse me. >> Note to OP: this rejects mail with a sender in your domain unless it >> comes from mynetworks or is authenticated (SASL). >> >> a better setup is to separate inbound mail service (MX) and submission >> service (MSA), for example by using port 587 for submission. then you >> wouldn't need to create exception ("reject unless"). >> >> he could start with >> http://www.postfix.org/SMTPD_ACCESS_README.html >> http://www.postfix.org/RESTRICTION_CLASS_README.html >> > If i understand this right. for the mx side I could put > > smtpd_recipient_restrictions = > permit_sasl_authenticated > No. - the default in all smtpd_*_restrictions is OK - open relay is checked in smtpd_recipient_restrictions so the latter should have a reject_something. in general: reject_unauth_destination (which rejects open relay). > or should it be > > smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/access_sender > > == access_sender: > techsoft3d.com REJECT > .techsoft3d.com REJECT > > > and on the internal side it would accept all with no restrictions? yes if you have an "internal side". do you? > > the way the documentation is worded it confuses me which one would apply > here. does smtpd_sender... = out going mail or the from: box? the way you word it confuses me:) all smtpd checks apply to the SMTP commands such as HELO/EHLO, MAIL FROM, RCPT TO. smtpd checks do not apply to headers (Subject:, Date: From:, To:, Cc:, ... etc). you need to udnderstand how smtp works. smtp is a transport protocol that is used to convey messages. smtp has commands: HELO/EHLO, MAIL FROM, RCPT TO, DATA, QUIT, ... etc. the messages it convey have headers (such as Received, Date, Subject, From, To, Cc, ... etc) and a body (which may itself contain multiple MIME parts, sometimes called attachments).
Re: Postfix restricting local mail locally.
On 06/04/2011 05:50 PM, mouss wrote: yes if you have an "internal side". do you? I have 3+ sides. External, wired and wireless. I may eventually add a dmz or include the dmz with wireless. Wired and wireless both go through the server to external but don't know the other exists. putting the internal on different ports is not a problem if you cant specify different settings for the different sides of the server specifically. the way the documentation is worded it confuses me which one would apply here. does smtpd_sender... = out going mail or the from: box? the way you word it confuses me:) Havent studied much on mail servers before. until a year or 2 agao my systems hadent seen much spam. Some one used my domain in the from box for a bunch of spam and now i get alot of junk. On 06/04/2011 02:04 PM, Victor Duchovni wrote: On Sat, Jun 04, 2011 at 10:25:37AM -0400, Kendrick wrote: smtpd_recipient_restrictions = permit_sasl_authenticated No, this won't work, rather: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/access_sender # Optional final permit, just to make it clear permit Does that apply to multi homed machines or is it possible to specify things per network? or would i be better off having a mail server instance specifically for external mail and a 2nd server that is for the internal clients?