Re: permit ip, reject domain
Thanks for Noel Jones About ip match domain, It's working now. /etc/postfix/main.cf smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/enforce_ip_match_domain smtpd_restriction_classes = example example = check_sender_access hash:/etc/postfix/example.domain reject /etc/postfix/enforce_ip_match_domain IPexample /etc/postfix/example.domain example.comOK I have another restrictions, It's working before /etc/postfix/main.cf smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_reject_addr_check /etc/postfix/sender_reject_addr_check badu...@example.com REJECT After I set ip match domain restrictions , badsender restrictions do not working How can I let both restrictions working together Thanks a lot 2013/6/7 Noel Jones njo...@megan.vbhcs.org On 6/6/2013 9:36 PM, Feel Zhou wrote: Thanks Noel one more thing, How to setting one IP bind two or three domain Thanks a lot ... # require_sender_A A.example.com http://A.example.com OK C.example.com OK -- Noel Jones
Re: permit ip, reject domain
On 6/6/2013 9:36 PM, Feel Zhou wrote: Thanks Noel one more thing, How to setting one IP bind two or three domain Thanks a lot ... # require_sender_A A.example.com http://A.example.com OK C.example.com OK -- Noel Jones
Re: permit ip, reject domain
Thanks for all I have read the document http://www.postfix.org/RESTRICTION_CLASS_README.html Maybe it's not what I need to setting. I don't have internal email distribution list, so do not need to protect it. And I don't want to restrict any user send mail to off-site destinations. My customer have the mail system, they send mail via my postfix server. /etc/postfix/main.cf mynetworks = hash:/etc/postfix/mynetworks_table /etc/postfix/mynetworks_table IPPERMIT IP is my customer's IP, and they have two domain: customer.domain1, customer.domain2 My mail system only want these two domain send mail via my postfix mail system but not any other domain. It's mean only two domains in this IP can send mail via my server, other domains will be reject by my server How can I set in main.cf Thanks for your time TOM 2013/5/31 Peter pe...@pajamian.dhs.org On 05/31/2013 12:34 PM, Noel Jones wrote: No, the client is already authorized by IP. Adding a sender domain check is an additional restriction. This is also a simple some trusted IP is sending a bunch of crap trigger. Good advice, but SASL is not always possible or practical. And solving this with SASL involves reject_sender_login_mismatch, which brings its own complications. This is all based on an interpretation of the OPs original broken English posts, though. What I was seeing was something akin to, I need to prevent spammers from using my server as a relay, so I'm going to stop anyone who doesn't have an authorized domain in the envelope sender. You probably noticed something I didn't in his posts, though. Peter
Re: permit ip, reject domain
On 6/6/2013 4:02 AM, Feel Zhou wrote: Thanks for all I have read the document http://www.postfix.org/RESTRICTION_CLASS_README.html Maybe it's not what I need to setting. I don't have internal email distribution list, so do not need to protect it. And I don't want to restrict any user send mail to off-site destinations. Read it again, that's the right tool. If you study the examples, you'll notice they first check one property, then check another. That's exactly what you need. You're supposed to use those examples to create your own rules that first use a check_client_access map to see if the client is one of your networks, then the result will be a restriction class that calls a check_sender_access map. Example: 192.168.100.0/24 must use @A.example.com 192.168.200.0/24 must use @B.example.com # main.cf smtpd_restriction_classes = from_net_A from_net_B from_net_A = check_sender_access hash:/etc/postfix/require_sender_A reject from_net_B = check_sender_access hash:/etc/postfix/require_sender_B reject smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/enforce_networks.cidr # enforce_networks.cidr 192.168.100.0/24 from_net_A 192.168.200.0/24 from_net_B # require_sender_A A.example.com OK # require_sender_B B.example.com OK -- Noel Jones
Re: permit ip, reject domain
Thanks Noel one more thing, How to setting one IP bind two or three domain Thanks a lot 2013/6/6 Noel Jones njo...@megan.vbhcs.org On 6/6/2013 4:02 AM, Feel Zhou wrote: Thanks for all I have read the document http://www.postfix.org/RESTRICTION_CLASS_README.html Maybe it's not what I need to setting. I don't have internal email distribution list, so do not need to protect it. And I don't want to restrict any user send mail to off-site destinations. Read it again, that's the right tool. If you study the examples, you'll notice they first check one property, then check another. That's exactly what you need. You're supposed to use those examples to create your own rules that first use a check_client_access map to see if the client is one of your networks, then the result will be a restriction class that calls a check_sender_access map. Example: 192.168.100.0/24 must use @A.example.com 192.168.200.0/24 must use @B.example.com # main.cf smtpd_restriction_classes = from_net_A from_net_B from_net_A = check_sender_access hash:/etc/postfix/require_sender_A reject from_net_B = check_sender_access hash:/etc/postfix/require_sender_B reject smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/enforce_networks.cidr # enforce_networks.cidr 192.168.100.0/24 from_net_A 192.168.200.0/24 from_net_B # require_sender_A A.example.com OK # require_sender_B B.example.com OK -- Noel Jones
Re: permit ip, reject domain
Thanks,Mikael I don't think that document is good to fix this problem I want sender address match my customer's domain name If not match ,mean that sender address was fake Thanks for your help Tom 2013/5/30 Mikael Bak m...@inbox.lv On 05/30/2013 01:39 PM, Feel Zhou wrote: [snip] My purpose is permit my_customer_ip send mail via my mail server, only permit my customer domain address send mail, reject any other domain send mail via my_customer_ip, how can I setting in my postfix. Thanks a lot Tom Hi Tom, I think you can do this with postfix restriction classes: http://www.postfix.org/RESTRICTION_CLASS_README.html HTH, Mikael
Re: permit ip, reject domain
On 5/30/2013 6:39 AM, Feel Zhou wrote: Hello, My friend This is Tom, I'm sending my greeting from China I Use postfix for few month, My customer send mail via my mail server, So, some IP is in mynetworks setting. for example, my_customer_server_ip is permit send mail via my server But there is something serious with my postfix server The correct log is just like that May 30 08:09:01 [my_customer_server_ip] [my_customer_client_ip] user@mycustomer.domain - some...@example.com mailto:some...@example.com, The wrong log is just like that,(hotmail.com http://hotmail.com, yahoo.com http://yahoo.com is the example) May 29 18:05:35 , [my_customer_server_ip] [other_ip] any...@hotmail.com mailto:any...@hotmail.com - some...@example.com mailto:some...@example.com, May 29 16:05:37 , [my_customer_server_ip] [other_ip] any...@yahoo.com mailto:any...@yahoo.com - some...@example.com mailto:some...@example.com, any...@hotmail.com mailto:any...@hotmail.com, any...@yahoo.com mailto:any...@yahoo.com, etc. maybe real address in the internet mail system, but it's not a real mail account in my customer's mail system. My purpose is permit my_customer_ip send mail via my mail server, only permit my customer domain address send mail, reject any other domain send mail via my_customer_ip, how can I setting in my postfix. Thanks a lot Tom [please don't top-post, please post plain-text only. thanks.] Yes, restriction classes are the solution. First use a check_client_access map to see if the IP matches one of your clients, chain that to a check_sender_access map that only allows the proper sender domain. General instructions are here: http://www.postfix.org/RESTRICTION_CLASS_README.html adapt the examples to your use. Alternately, you could use a policy service such as postfwd. http://www.postfix.org/SMTPD_POLICY_README.html http://postfwd.org/ In any case, the check must be done in smtpd_sender_restrictions to prevent open relay accidents, and before permit_mynetworks. -- Noel Jones
Re: permit ip, reject domain
On 05/31/2013 03:50 AM, Feel Zhou wrote: I don't think that document is good to fix this problem I want sender address match my customer's domain name If not match ,mean that sender address was fake Hi Tom, This is a bad idea, it is very easy for a spammer to spoof your customer's sender domain in order to relay mail through your server and then your server becomes not much better than an open relay. You should look into SASL AUTH, this is a much better way for your customers to authenticate to your server for relaying: http://www.postfix.org/SASL_README.html Peter
Re: permit ip, reject domain
On 5/30/2013 6:21 PM, Peter wrote: On 05/31/2013 03:50 AM, Feel Zhou wrote: I don't think that document is good to fix this problem I want sender address match my customer's domain name If not match ,mean that sender address was fake Hi Tom, This is a bad idea, it is very easy for a spammer to spoof your customer's sender domain in order to relay mail through your server and then your server becomes not much better than an open relay. No, the client is already authorized by IP. Adding a sender domain check is an additional restriction. This is also a simple some trusted IP is sending a bunch of crap trigger. You should look into SASL AUTH, this is a much better way for your customers to authenticate to your server for relaying: http://www.postfix.org/SASL_README.html Good advice, but SASL is not always possible or practical. And solving this with SASL involves reject_sender_login_mismatch, which brings its own complications. Peter -- Noel Jones
Re: permit ip, reject domain
On 05/31/2013 12:34 PM, Noel Jones wrote: No, the client is already authorized by IP. Adding a sender domain check is an additional restriction. This is also a simple some trusted IP is sending a bunch of crap trigger. Good advice, but SASL is not always possible or practical. And solving this with SASL involves reject_sender_login_mismatch, which brings its own complications. This is all based on an interpretation of the OPs original broken English posts, though. What I was seeing was something akin to, I need to prevent spammers from using my server as a relay, so I'm going to stop anyone who doesn't have an authorized domain in the envelope sender. You probably noticed something I didn't in his posts, though. Peter
