Re: rejecting local users with fake envelope sender
O/H Sahil Tandon έγραψε: Hi Sahil No it is the first time I am asking this question. I had two questions in the past related to this subject but they were different. The first was about sender domain and the second about a mechanism to check sender login names ( replies regarding any source). Thanks again On Sat, 17 Jan 2009, D. Karapiperis wrote: I am trying to configure properly reject_unlisted_sender ,which utilises all possible sources of valid mailboxes or mailaliases, so that local users (originating from my_networks) can send mails using valid envelope sender ( or even both sender and the from field) Isn't this the second time you're asking the same question? See the archives for responses to your last question and read some related documentation: http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
rejecting local users with fake envelope sender
Hello all I am trying to configure properly reject_unlisted_sender ,which utilises all possible sources of valid mailboxes or mailaliases, so that local users (originating from my_networks) can send mails using valid envelope sender ( or even both sender and the from field) Is this possible? Thanks in advance Dimitrios
[CLOSED]Validating local users through local_recipient_maps
Thanks Sahil this is what I was looking for. O/H Sahil Tandon έγραψε: On Jan 13, 2009, at 8:07 AM, "D. Karapiperis" wrote: Hello all, Is there any way to validate a local user (e-mail address) on sending mail using the local_recipient_maps, (where potentially all valid e-mail addresses could be defined) ? So that all outgoing mails from local users (local, virtual etc) are sent only by valid legitimate emails addresses. Read about reject_unlisted_sender and smtpd_reject_unlisted_sender in the postconf(5) manual. -- Sahil Tandon
Validating local users through local_recipient_maps
Hello all, Is there any way to validate a local user (e-mail address) on sending mail using the local_recipient_maps, (where potentially all valid e-mail addresses could be defined)? So that all outgoing mails from local users (local, virtual etc) are sent only by valid legitimate emails addresses. Thanks in advance Dimitrios
Re: Enforcing sending domain from the inside network
O/H mouss έγραψε: D. Karapiperis a écrit : O/H Wietse Venema έγραψε: Since he asked for a "nice" way to specify this in Postfix, a "nice" implementation of this would look like this: /etc/postfix/main.cf: smtpd_sender_restrictions = permit_mydomain, reject_mynetworks Where the details are hidden by restriction classes: /etc/postfix/main.cf: restriction_classes = permit_mydomain, reject_mynetworks permit_mydomain = check_sender_access hash:/etc/postfix/sender_access reject_mynetworks = check_client_access cidr:/etc/postfix/client_access.cidr hash:/etc/postfix/sender_access example.compermit /etc/postfix/client_access.cidr 192.168.0.0/24 reject must send mail as u...@example.com Note that moving this into smtpd_recipient_restrictions would make this an open relay, as anyone can claim to have a sender address in your domain. Wietse Many thanks for your replies, u really help a lot. I cannot understand why if we move the statement on the smtpd_recipient_restricitons will end up on open relay. Again check_sender_access will examine the MAIL FROM right? and the client access the IP, right? permit_mydomain returns a "permit", so the message is accepted and no further checks are done. in particular, reject_unauth_destination is skipped. in short, if a spammer forges sends as j...@example.com, the message is accepted even if it goes to an external domain. and this is open relay Open relay will not take place if the checks are included on smtpd_sender_restrictions?
Re: Enforcing sending domain from the inside network
O/H Wietse Venema έγραψε: Since he asked for a "nice" way to specify this in Postfix, a "nice" implementation of this would look like this: /etc/postfix/main.cf: smtpd_sender_restrictions = permit_mydomain, reject_mynetworks Where the details are hidden by restriction classes: /etc/postfix/main.cf: restriction_classes = permit_mydomain, reject_mynetworks permit_mydomain = check_sender_access hash:/etc/postfix/sender_access reject_mynetworks = check_client_access cidr:/etc/postfix/client_access.cidr hash:/etc/postfix/sender_access example.com permit /etc/postfix/client_access.cidr 192.168.0.0/24 reject must send mail as u...@example.com Note that moving this into smtpd_recipient_restrictions would make this an open relay, as anyone can claim to have a sender address in your domain. Wietse Many thanks for your replies, u really help a lot. I cannot understand why if we move the statement on the smtpd_recipient_restricitons will end up on open relay. Again check_sender_access will examine the MAIL FROM right? and the client access the IP, right? probably I am missing sth thanks again
Re: Enforcing sending domain from the inside network
O/H mouss έγραψε: D. Karapiperis a écrit : Hi All I have a question regarding postfix restrictions. Is there a way for Postfix to enforce some kind of policy so that all the outgoing (allowed) mails be " @business.com" and all the others be rejected. Of course this policy should be enforced only to the outgoing emails not in the incoming. - if mail comes from mynetworks, require that the sender address is *...@example.com. you can do this with a restriction class based on check_client_access. Thanks for the reply I did this mynetworks = cidr:/etc/postfix/inside_network smtpd_restriction_classes= from_inside_network from_inside_network = check_client_access cidr:/etc/postfix/inside_network smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sending-domains, reject_unauth_destination /etc/postfix/inside_network 192.168.2.0/24 OK 127.0.0.0/8 OK /etc/postfix/sending-domains business.gr from_inside_network So I did a logical AND -> all clients form my network have the relay privilege and moreover they can send e-mails only from business.gr (hopefully) This configuration is: - ugly because you mix unrelated tasks. blocking relay and enforcing outbound sender domain are two different tasks. The keywords here are: clarity, self-documenation, maintenance, etc. some day, you may want to allow your boss to post with his jackinthebox address, and you will edit the "sending-domains" table. some day, you may want to allow some other sender domains. That day, you will lose your hair trying to put ORs inside your ANDs. De Morgan laws are hard to put in simple key-value maps. - unsafe because if you or someone else edits sending-domains, you could become an open relay. oh yes, bad things do happen. - pointless. it brings nothing compared to what I suggested. Unless you really know what you are doing and why (and even then, you should think 3.1415... times [yeah, you'll have to do it until the last digit of PI ;-p]), - avoid using check_*_access before reject_unauth_destination - use smtpd_recipient_restrictions for relay control and spam fighting - use other restrictions to implement local policy (enforce outbound sender domain as you want to do, make some addresses "local only", ... etc). PS. There is no point to reinvent built-in functionality (your from_inside_network is exactly permit_mynetworks). I need to test it on a production server. Thanks for the reply. I did the from_inside_network thing to do the logical AND regarding the sending domain. Is there any way to do this woth permit_mynetworks? Is there any way to permit local users (from the inside network) to send emails using the business domain in a clear and nice way in postfix? thanks Dimitris
Enforcing sending domain from the inside network
Hi All I have a question regarding postfix restrictions. Is there a way for Postfix to enforce some kind of policy so that all the outgoing (allowed) mails be " @business.com" and all the others be rejected. Of course this policy should be enforced only to the outgoing emails not in the incoming. - if mail comes from mynetworks, require that the sender address is *...@example.com. you can do this with a restriction class based on check_client_access. Thanks for the reply I did this mynetworks = cidr:/etc/postfix/inside_network smtpd_restriction_classes= from_inside_network from_inside_network = check_client_access cidr:/etc/postfix/inside_network smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sending-domains, reject_unauth_destination /etc/postfix/inside_network 192.168.2.0/24 OK 127.0.0.0/8 OK /etc/postfix/sending-domains business.gr from_inside_network So I did a logical AND -> all clients form my network have the relay privilege and moreover they can send e-mails only from business.gr (hopefully) I need to test it on a production server.
(χωρίς θέμα)
Hi All I have a question regarding postfix restrictions. Is there a way for Postfix to enforce some kind of policy so that all the outgoing (allowed) mails be " @business.com" and all the others be rejected. Of course this policy should be enforced only to the outgoing emails not in the incoming. I think that smtpd_*_restricions regard all the e-mails (outgoing,incoming) and simply check the RCPT TO and MAIL FROM statements. Correct? Thanks in advance
