Re: Enforcing sending domain from the inside network

2008-12-31 Thread mouss 
D. Karapiperis a écrit :
> 
> Open relay will not take place if the checks are included on
> smtpd_sender_restrictions?



an OK in smtpd_sender_restrictions does not skip
smtpd_recipient_restrictions, and relay check is done in the latter
(reject_unauth_destination).

Re: Enforcing sending domain from the inside network

2008-12-31 Thread D. Karapiperis 

O/H mouss έγραψε:

D. Karapiperis a écrit :
  

O/H Wietse Venema έγραψε:


Since he asked for a "nice" way to specify this in Postfix, a "nice"
implementation of this would look like this:

/etc/postfix/main.cf:
smtpd_sender_restrictions = permit_mydomain, reject_mynetworks

Where the details are hidden by restriction classes:


/etc/postfix/main.cf:
restriction_classes = permit_mydomain, reject_mynetworks
permit_mydomain = check_sender_access hash:/etc/postfix/sender_access
reject_mynetworks = check_client_access
cidr:/etc/postfix/client_access.cidr

hash:/etc/postfix/sender_access
example.compermit

/etc/postfix/client_access.cidr
192.168.0.0/24 reject must send mail as u...@example.com

Note that moving this into smtpd_recipient_restrictions would
make this an open relay, as anyone can claim to have a sender
address in your domain.

Wietse
  
  

Many thanks for your replies, u really help a lot.

I cannot understand why if we move the statement on the
smtpd_recipient_restricitons will end up on open relay.
Again check_sender_access will examine the MAIL FROM right?
and the client access the IP, right?




permit_mydomain returns a "permit", so the message is accepted and no
further checks are done. in particular, reject_unauth_destination is
skipped.

in short, if a spammer forges sends as j...@example.com, the message is
accepted even if it goes to an external domain. and this is open relay


  


Open relay will not take place if the checks are included on 
smtpd_sender_restrictions?

Re: Enforcing sending domain from the inside network

2008-12-30 Thread mouss 
D. Karapiperis a écrit :
> O/H Wietse Venema έγραψε:
>> Since he asked for a "nice" way to specify this in Postfix, a "nice"
>> implementation of this would look like this:
>>
>> /etc/postfix/main.cf:
>> smtpd_sender_restrictions = permit_mydomain, reject_mynetworks
>> 
>> Where the details are hidden by restriction classes:
>>
>> /etc/postfix/main.cf:
>> restriction_classes = permit_mydomain, reject_mynetworks
>> permit_mydomain = check_sender_access hash:/etc/postfix/sender_access
>> reject_mynetworks = check_client_access
>> cidr:/etc/postfix/client_access.cidr
>>
>> hash:/etc/postfix/sender_access
>> example.compermit
>>
>> /etc/postfix/client_access.cidr
>> 192.168.0.0/24 reject must send mail as u...@example.com
>>
>> Note that moving this into smtpd_recipient_restrictions would
>> make this an open relay, as anyone can claim to have a sender
>> address in your domain.
>>
>> Wietse
>>   
> 
> Many thanks for your replies, u really help a lot.
> 
> I cannot understand why if we move the statement on the
> smtpd_recipient_restricitons will end up on open relay.
> Again check_sender_access will examine the MAIL FROM right?
> and the client access the IP, right?
> 

permit_mydomain returns a "permit", so the message is accepted and no
further checks are done. in particular, reject_unauth_destination is
skipped.

in short, if a spammer forges sends as j...@example.com, the message is
accepted even if it goes to an external domain. and this is open relay

Re: Enforcing sending domain from the inside network

2008-12-30 Thread D. Karapiperis 

O/H Wietse Venema έγραψε:

Since he asked for a "nice" way to specify this in Postfix, a "nice"
implementation of this would look like this:

/etc/postfix/main.cf:
smtpd_sender_restrictions = permit_mydomain, reject_mynetworks

Where the details are hidden by restriction classes:

/etc/postfix/main.cf:
restriction_classes = permit_mydomain, reject_mynetworks
permit_mydomain = check_sender_access hash:/etc/postfix/sender_access
reject_mynetworks = check_client_access cidr:/etc/postfix/client_access.cidr

hash:/etc/postfix/sender_access
example.com permit

/etc/postfix/client_access.cidr
192.168.0.0/24 reject must send mail as u...@example.com

Note that moving this into smtpd_recipient_restrictions would
make this an open relay, as anyone can claim to have a sender
address in your domain.

Wietse
  


Many thanks for your replies, u really help a lot.

I cannot understand why if we move the statement on the 
smtpd_recipient_restricitons will end up on open relay.

Again check_sender_access will examine the MAIL FROM right?
and the client access the IP, right?

probably I am missing sth


thanks again

Re: Enforcing sending domain from the inside network

2008-12-30 Thread Wietse Venema 
Victor Duchovni:
> On Tue, Dec 30, 2008 at 12:38:38PM -0500, Wietse Venema wrote:
> 
> > For example
> > 
> > /etc/postfix/main.cf:
> > smtpd_sender_restrictions =
> > check_sender_access hash:/etc/postfix/sender_access
> > check_client_access pcre:/etc/postfix/client_access.pcre
> > 
> > hash:/etc/postfix/sender_access
> > example.com permit
> > 
> > /etc/postfix/client_access.pcre
> > 192.168.0.0/24 reject must send mail as u...@example.com
> 
> Note the "typo", Wietse meant "cidr:" but the fingers typed "pcre:".

Indeed.

Since he asked for a "nice" way to specify this in Postfix, a "nice"
implementation of this would look like this:

/etc/postfix/main.cf:
smtpd_sender_restrictions = permit_mydomain, reject_mynetworks

Where the details are hidden by restriction classes:

/etc/postfix/main.cf:
restriction_classes = permit_mydomain, reject_mynetworks
permit_mydomain = check_sender_access hash:/etc/postfix/sender_access
reject_mynetworks = check_client_access cidr:/etc/postfix/client_access.cidr

hash:/etc/postfix/sender_access
example.com permit

/etc/postfix/client_access.cidr
192.168.0.0/24 reject must send mail as u...@example.com

Note that moving this into smtpd_recipient_restrictions would
make this an open relay, as anyone can claim to have a sender
address in your domain.

Wietse

Re: Enforcing sending domain from the inside network

2008-12-30 Thread Victor Duchovni 
On Tue, Dec 30, 2008 at 12:38:38PM -0500, Wietse Venema wrote:

> For example
> 
> /etc/postfix/main.cf:
> smtpd_sender_restrictions =
>   check_sender_access hash:/etc/postfix/sender_access
>   check_client_access pcre:/etc/postfix/client_access.pcre
> 
> hash:/etc/postfix/sender_access
> example.com   permit
> 
> /etc/postfix/client_access.pcre
> 192.168.0.0/24 reject must send mail as u...@example.com

Note the "typo", Wietse meant "cidr:" but the fingers typed "pcre:".

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Enforcing sending domain from the inside network

2008-12-30 Thread mouss 
Wietse Venema a écrit :
> D. Karapiperis:
>> I did the from_inside_network thing to do the logical AND regarding the 
>> sending domain. Is there any way to do this woth permit_mynetworks?
>>
>> Is there any way to permit local users (from the inside network) to send 
>> emails using the business domain in a clear and nice way in postfix?
> 
> For this you would need
> 
> smtpd_sender_restrictions =
>   check_sender_access [table that maps your domain -> permit]
>   reject_mynetworks
> 
> But, since reject_mynetworks is not implemented, you end up
> implementing it yourself:
> 
> smtpd_sender_restrictions =
>   check_sender_access [table that maps your domain -> permit]
>   check_client_access [table that maps your networks -> reject]
> 
> For example
> 
> /etc/postfix/main.cf:
> smtpd_sender_restrictions =
>   check_sender_access hash:/etc/postfix/sender_access
>   check_client_access pcre:/etc/postfix/client_access.pcre
> 
> hash:/etc/postfix/sender_access
> example.com   permit
> 
> /etc/postfix/client_access.pcre
> 192.168.0.0/24 reject must send mail as u...@example.com
> 

I guess you meant cidr, not pcre.

and in my post, I meant cidr, not hash.

Re: Enforcing sending domain from the inside network

2008-12-30 Thread mouss 
D. Karapiperis a écrit :
> I did the from_inside_network thing to do the logical AND regarding the
> sending domain.

A "logical AND" can be replaced by a sequence. and a sequence is easier
to manage (in the mind, on paper, ...).

> Is there any way to do this woth permit_mynetworks?
> 

to do what? I already posted a config that answers your need. here it is
again:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/outbound_sender
reject_unauth_destination


== outbound_sender
example.com OK



> Is there any way to permit local users (from the inside network) to send
> emails using the business domain in a clear and nice way in postfix?
> 

I guess you mean implement something like:

if (client is in mynetworks) then sender must be in *...@example.com

this can be written as:

if ((client is in mynetworks) and (sender is not in *...@example.com)) then
reject

which in turn can be restated as a sequence:

1- if sender is *...@example.com, then pass
2- if client is in mynetworks, then reject

and this is easily implemented with:

smtpd_client_restrictions =
check_sender_access hash:/etc/postfix/allow_our_domain
check_client_access hash:/etc/postfix/reject_mynetworks


== allow_our_domain
example.com OK

== reject_mynetworks
10.1.2.0/24 REJECT you must use an address in @example.com

if you already have checks under smtpd_client_restrictions, then use
smtpd_helo_restrictions or smtpd_sender_restrictions (whichever is
empty). but don't use smtpd_recipient_restrictions (it is possible, but
an error there makes you an open relay). if no restriction is empty,
you'll need restriction classes. if it's the case, show your full config
(all restrictions and restriction classes).


while you could use a single map for both "reject_mynetworks" and
mynetworks, it is not wise (as I said before, one day, you will edit
something and the world will break all of a sudden). better use a script
to generate both files from a single source file (you can use a Makefile
 that you could use for other map mgmt tasks).

Re: Enforcing sending domain from the inside network

2008-12-30 Thread Wietse Venema 
D. Karapiperis:
> I did the from_inside_network thing to do the logical AND regarding the 
> sending domain. Is there any way to do this woth permit_mynetworks?
> 
> Is there any way to permit local users (from the inside network) to send 
> emails using the business domain in a clear and nice way in postfix?

For this you would need

smtpd_sender_restrictions =
check_sender_access [table that maps your domain -> permit]
reject_mynetworks

But, since reject_mynetworks is not implemented, you end up
implementing it yourself:

smtpd_sender_restrictions =
check_sender_access [table that maps your domain -> permit]
check_client_access [table that maps your networks -> reject]

For example

/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access
check_client_access pcre:/etc/postfix/client_access.pcre

hash:/etc/postfix/sender_access
example.com permit

/etc/postfix/client_access.pcre
192.168.0.0/24 reject must send mail as u...@example.com

Wietse

Re: Enforcing sending domain from the inside network

2008-12-30 Thread D. Karapiperis 

O/H mouss έγραψε:

D. Karapiperis a écrit :
  

Hi All


I have a question regarding postfix restrictions.

Is there a way for Postfix to enforce some kind of policy so that all
the outgoing (allowed) mails be " @business.com" and all the others be
rejected.
Of course this policy should be enforced only to the outgoing emails
not in the incoming.

  

- if mail comes from mynetworks, require that the sender address is
*...@example.com. you can do this with a restriction class based on
check_client_access.


Thanks for the reply

I did this

mynetworks = cidr:/etc/postfix/inside_network

smtpd_restriction_classes=
   from_inside_network

 from_inside_network =
  check_client_access cidr:/etc/postfix/inside_network


smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/sending-domains,
reject_unauth_destination



/etc/postfix/inside_network
192.168.2.0/24 OK
127.0.0.0/8   OK


/etc/postfix/sending-domains
business.gr  from_inside_network

So I did a logical AND -> all clients form my network have the relay
privilege and moreover they can send e-mails only from business.gr
(hopefully)



This configuration is:

- ugly because you mix unrelated tasks. blocking relay and enforcing
outbound sender domain are two different tasks. The keywords here are:
clarity, self-documenation, maintenance, etc. some day, you may want to
allow your boss to post with his jackinthebox address, and you will edit
the "sending-domains" table. some day, you may want to allow some other
sender domains. That day, you will lose your hair trying to put ORs
inside your ANDs. De Morgan laws are hard to put in simple key-value maps.

- unsafe because if you or someone else edits sending-domains, you could
become an open relay. oh yes, bad things do happen.

- pointless. it brings nothing compared to what I suggested.


Unless you really know what you are doing and why (and even then, you
should think 3.1415... times [yeah, you'll have to do it until the last
digit of PI ;-p]),
- avoid using check_*_access before reject_unauth_destination
- use smtpd_recipient_restrictions for relay control and spam fighting
- use other restrictions to implement local policy (enforce outbound
sender domain as you want to do, make some addresses "local only", ...
etc).


PS. There is no point to reinvent built-in functionality (your
from_inside_network is exactly permit_mynetworks).


  

I need to test it on a production server.








  


Thanks for the reply.
I did the from_inside_network thing to do the logical AND regarding the 
sending domain. Is there any way to do this woth permit_mynetworks?


Is there any way to permit local users (from the inside network) to send 
emails using the business domain in a clear and nice way in postfix?


thanks
Dimitris

Re: Enforcing sending domain from the inside network

2008-12-29 Thread mouss 
D. Karapiperis a écrit :
> 
> 
> Hi All
>>
>> I have a question regarding postfix restrictions.
>>
>> Is there a way for Postfix to enforce some kind of policy so that all
>> the outgoing (allowed) mails be " @business.com" and all the others be
>> rejected.
>> Of course this policy should be enforced only to the outgoing emails
>> not in the incoming.
>>
> 
> 
> - if mail comes from mynetworks, require that the sender address is
> *...@example.com. you can do this with a restriction class based on
> check_client_access.
> 
> 
> Thanks for the reply
> 
> I did this
> 
> mynetworks = cidr:/etc/postfix/inside_network
> 
> smtpd_restriction_classes=
>from_inside_network
> 
>  from_inside_network =
>   check_client_access cidr:/etc/postfix/inside_network
> 
> 
> smtpd_recipient_restrictions =
> check_sender_access hash:/etc/postfix/sending-domains,
> reject_unauth_destination
> 
> 
> 
> /etc/postfix/inside_network
> 192.168.2.0/24 OK
> 127.0.0.0/8   OK
> 
> 
> /etc/postfix/sending-domains
> business.gr  from_inside_network
> 
> So I did a logical AND -> all clients form my network have the relay
> privilege and moreover they can send e-mails only from business.gr
> (hopefully)

This configuration is:

- ugly because you mix unrelated tasks. blocking relay and enforcing
outbound sender domain are two different tasks. The keywords here are:
clarity, self-documenation, maintenance, etc. some day, you may want to
allow your boss to post with his jackinthebox address, and you will edit
the "sending-domains" table. some day, you may want to allow some other
sender domains. That day, you will lose your hair trying to put ORs
inside your ANDs. De Morgan laws are hard to put in simple key-value maps.

- unsafe because if you or someone else edits sending-domains, you could
become an open relay. oh yes, bad things do happen.

- pointless. it brings nothing compared to what I suggested.


Unless you really know what you are doing and why (and even then, you
should think 3.1415... times [yeah, you'll have to do it until the last
digit of PI ;-p]),
- avoid using check_*_access before reject_unauth_destination
- use smtpd_recipient_restrictions for relay control and spam fighting
- use other restrictions to implement local policy (enforce outbound
sender domain as you want to do, make some addresses "local only", ...
etc).


PS. There is no point to reinvent built-in functionality (your
from_inside_network is exactly permit_mynetworks).


> I need to test it on a production server.
> 
> 
>

Re: Enforcing sending domain from the inside network

2008-12-29 Thread Victor Duchovni 
On Mon, Dec 29, 2008 at 03:45:05PM +0200, D. Karapiperis wrote:

> 
> 
> Hi All
> >
> >I have a question regarding postfix restrictions.
> >
> >Is there a way for Postfix to enforce some kind of policy so that all
> >the outgoing (allowed) mails be " @business.com" and all the others be
> >rejected.
> >Of course this policy should be enforced only to the outgoing emails
> >not in the incoming.
> >
> 
> 
> - if mail comes from mynetworks, require that the sender address is
> *...@example.com. you can do this with a restriction class based on
> check_client_access.
> 
> 
> Thanks for the reply
> 
> I did this
> 
> mynetworks = cidr:/etc/postfix/inside_network
> 
> smtpd_restriction_classes=
>from_inside_network
> 
>  from_inside_network =
>   check_client_access cidr:/etc/postfix/inside_network
> 
> 
> smtpd_recipient_restrictions =
> check_sender_access hash:/etc/postfix/sending-domains,
> reject_unauth_destination
> 
> 
> 
> /etc/postfix/inside_network
> 192.168.2.0/24 OK
> 127.0.0.0/8   OK
> 
> 
> /etc/postfix/sending-domains
> business.gr  from_inside_network
> 
> So I did a logical AND -> all clients form my network have the relay 
> privilege and moreover they can send e-mails only from business.gr 
> (hopefully)
> I need to test it on a production server.

THis is really broken, don't do this.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Enforcing sending domain from the inside network

2008-12-29 Thread D. Karapiperis 



Hi All


I have a question regarding postfix restrictions.

Is there a way for Postfix to enforce some kind of policy so that all
the outgoing (allowed) mails be " @business.com" and all the others be
rejected.
Of course this policy should be enforced only to the outgoing emails
not in the incoming.




- if mail comes from mynetworks, require that the sender address is
*...@example.com. you can do this with a restriction class based on
check_client_access.


Thanks for the reply

I did this

mynetworks = cidr:/etc/postfix/inside_network

smtpd_restriction_classes=
   from_inside_network

 from_inside_network =
  check_client_access cidr:/etc/postfix/inside_network


smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/sending-domains,
reject_unauth_destination



/etc/postfix/inside_network
192.168.2.0/24 OK
127.0.0.0/8   OK


/etc/postfix/sending-domains
business.gr  from_inside_network

So I did a logical AND -> all clients form my network have the relay 
privilege and moreover they can send e-mails only from business.gr 
(hopefully)

I need to test it on a production server.