Re: reject forged emails
On 25-03-2010 05:41, Ralf Hildebrandt wrote: * Frank Bonnet: I have one domain, say domain.com and I want to reject emails that pretend to be sent from domain.com but are NOT into our IP range say 123.123.0.0/16 http://www.arschkrebs.de/postfix/postfix_incoming.shtm Hi Ralf, It seemed so simple and efficient I couldn't resist to implement. It worked as expected at first, but some apparently random legitimate messages get refused by that rule. Can you help me? I use postfix 2.5.1-2ubuntu1.2 on a Ubuntu 8.10 LTS box with pam_ldap (if that matters). Strip from main.cf, I did it with /etc/postfix/fakea1: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/freemail_access check_recipient_access hash:/etc/postfix/rfc, check_recipient_access pcre:/etc/postfix/inativos_pcre, hash:/etc/postfix/inativos check_sender_access pcre:/etc/postfix/access_pcre, hash:/etc/postfix/access, hash:/etc/postfix/fakea1 check_client_access hash:/etc/postfix/access, cidr:/etc/postfix/cidr reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client b.barracudacentral.org check_policy_service inet:127.0.0.1:6 permit Some relevant info and confs regarding reject_unauth_destination: r...@jupiter:/etc/postfix# postconf relay_domains mydestination relay_domains = $mydestination mydestination = ldap:/etc/postfix/ldaptransport.cf r...@jupiter:/etc/postfix# cat /etc/postfix/ldaptransport.cf server_host = ldap://192.168.0.xxx ldap://192.168.0.xxx search_base = ou=domains,dc=xxx bind= no query_filter= (&(cn=%s)(objectclass=transportTable)) result_attribute= transport r...@jupiter:/etc/postfix# ldapsearch -x -b "ou=domains,dc=xxx" "(&(cn=a1.ind.br)(objectclass=transportTable))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=a1.ind.br)(objectclass=transportTable)) # requesting: ALL # # a1.ind.br, domains, a1.ind dn: cn=a1.ind.br,ou=domains,dc=xxx objectClass: top objectClass: transportTable cn: a1.ind.br transport: smtp:[smtp.a1.ind.br] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 r...@jupiter:/etc/postfix# cat fakea1 a1.ind.br 554 Utilize http://webmail.a1.ind.br ou o servidor autenticado. r...@jupiter:/etc/postfix# Berfore you ask, I did postmapped 'fakea1' and reloaded postfix :) And finally the evidence: Mar 25 15:06:22 jupiter postfix/smtpd[17453]: NOQUEUE: reject: RCPT from hm2223.locaweb.com.br[200.234.196.45]: 554 5.7.1 : Recipient address rejected: Utilize http://webmail.a1.ind.br ou o servidor autentica do.; from= to= proto=ESMTP helo= Have I missed something? What's wrong? Thanks and best regards. -- Marcio Merlone
Question about restriction class (AD LDAP)
Hi all, I have to implement a restriction class as per http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal aliases, allowing just selected users to send mails to. Initial idea is to create a security group (called PSIU below) inside AD (Samba 4.7) and put granted people there. I went this way: main.cf: smtpd_restriction_classes = insiders_only insiders_only = check_sender_access ldap:/etc/postfix/adinsidersok.cf, reject smtpd_recipient_restrictions = ... check_recipient_access ldap:/etc/postfix/adinsiders.cf, ... adinsiders.cf defines the aliases to protect: server_host = ldap://addc bind_dn = CN=postfix,OU=Sistemas,DC=tld bind_pw = xxx search_base = OU=MailAliases,DC=tld query_filter = (mail=%s) result_attribute = msDS-AzApplicationData On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. This is fine. adinsidersok.cf defines who can use those protected aliases: server_host = ldap://addc bind_dn = CN=postfix,OU=Sistemas,DC=tld bind_pw = xxx search_base = CN=PSIU,OU=Sistemas,DC=tld query_filter = (member=%s) result_attribute = memberOf There is where I stuck. To start, "member" attribute contains a DN, not a mail, and how to return 'OK' for those people? What approach you guys use in cases like this and to keep everything inside LDAP? What you recommend? Thank you all, best regards. -- *Marcio Merlone*
Re: Question about restriction class (AD LDAP)
Hi Viktor, Thank you for your answer. Do you have any direction I could follow to achieve my end goal - control who can send mail to some addresses with data from LDAP? Any hint or idea is helpfull. Thanks, best regards. Em 09/10/2018 11:57, Viktor Dukhovni escreveu: What you're trying to do can't be done with Postfix access(5) tables. You're trying to encode a pair of lookup keys, the sender and the receiving alias into a single query, so that different receiving aliases can have different allowed senders. Postfix has only single-key queries. If a single set of authorized senders across all the aliases will not do, you need one restriction class per-alias, or will need to move the lookups into a policy service, which can do multi-key lookups. On Oct 9, 2018, at 10:19 AM, Marcio Vogel Merlone dos Santos wrote: I have to implement a restriction class as per http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal aliases, allowing just selected users to send mails to. Initial idea is to create a security group (called PSIU below) inside AD (Samba 4.7) and put granted people there. I went this way: main.cf: smtpd_restriction_classes = insiders_only insiders_only = check_sender_access ldap:/etc/postfix/adinsidersok.cf, reject smtpd_recipient_restrictions = ... check_recipient_access ldap:/etc/postfix/adinsiders.cf, ... adinsiders.cf defines the aliases to protect: server_host = ldap://addc bind_dn = CN=postfix,OU=Sistemas,DC=tld bind_pw = xxx search_base = OU=MailAliases,DC=tld query_filter= (mail=%s) result_attribute= msDS-AzApplicationData On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. This is fine. adinsidersok.cf defines who can use those protected aliases: server_host = ldap://addc bind_dn = CN=postfix,OU=Sistemas,DC=tld bind_pw = xxx search_base = CN=PSIU,OU=Sistemas,DC=tld query_filter= (member=%s) result_attribute= memberOf -- *Marcio Merlone* TI - Administrador de redes *A1 Engenharia - Unidade Corporativa* Fone: +55 41 3616-3797 Cel:+55 41 99689-0036 https://a1.ind.br/ <https://a1.ind.br>
