whitelisting incoming /outgoing mail
I've modified smtpd_recipient_restrictions to block incoming email with a whitelist (/etc/postfix/access) as follows: smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/access reject This works great so that entries in /etc/postfix/access like: gmail.com OK harvard.edu OK allow incoming email from those domains, all others are rejected. I would like to apply the same access list so that users sending mail through this server can only reach those same domains. I've tried lots of recipient checking configs but nothing works so far. I'd rather not do this with the firewall, keeping the whitelist monitored by postfix only. Any suggestions? Thanks. Eric Williams AIM & Email: wile...@gmail.com Skype: wilersh
Re: whitelisting incoming /outgoing mail
Eric Williams put forth on 1/5/2010 8:02 AM: > I would like to apply the same access list so that users sending mail through > this server can only reach those same domains. > > I've tried lots of recipient checking configs but nothing works so far. I'd > rather not do this with the firewall, keeping the whitelist monitored by > postfix only. So you want a dedicated smtp relay server that will only transfer mail between a handful of domains? -- Stan
Re: whitelisting incoming /outgoing mail
On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner wrote: > Eric Williams put forth on 1/5/2010 8:02 AM: > > > I would like to apply the same access list so that users sending mail > through this server can only reach those same domains. > > > > I've tried lots of recipient checking configs but nothing works so far. > I'd rather not do this with the firewall, keeping the whitelist monitored by > postfix only. > > So you want a dedicated smtp relay server that will only transfer mail > between a > handful of domains? > > -- > Stan > That sounds like the correct description. EW
Re: whitelisting incoming /outgoing mail
Eric Williams:
> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner wrote:
>
> > Eric Williams put forth on 1/5/2010 8:02 AM:
> >
> > > I would like to apply the same access list so that users sending mail
> > through this server can only reach those same domains.
> > >
> > > I've tried lots of recipient checking configs but nothing works so far.
> > I'd rather not do this with the firewall, keeping the whitelist monitored by
> > postfix only.
> >
> > So you want a dedicated smtp relay server that will only transfer mail
> > between a
> > handful of domains?
You could use a tool such as Fail2Ban to watch the maillog file
and update a Postfix access table.
The steps would be
1) See if the domain is already in the Postfix access table.
2) Add the domain.
3) Rebuild the table.
Example add-domain script:
#!/bin/sh
# usage: add-domain name
case $# in
1) postmap -q "$1" the-postfix-access-table >/dev/null || {
echo "$1" OK >>the-postfix-access-table
postmap the-postfix-access-table
};;
*) echo Usage: $0 domainame 1>&2; exit 1;;
esac
If you handle lots of mail you will want to read and update the
database files without running postmap commands for each email
logfile record.
Wietse
Re: whitelisting incoming /outgoing mail
On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote:
> Eric Williams:
>> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner wrote:
>>
>>> Eric Williams put forth on 1/5/2010 8:02 AM:
>>>
I would like to apply the same access list so that users sending mail
>>> through this server can only reach those same domains.
I've tried lots of recipient checking configs but nothing works so far.
>>> I'd rather not do this with the firewall, keeping the whitelist monitored by
>>> postfix only.
>>>
>>> So you want a dedicated smtp relay server that will only transfer mail
>>> between a
>>> handful of domains?
>
> You could use a tool such as Fail2Ban to watch the maillog file
> and update a Postfix access table.
>
> The steps would be
>
> 1) See if the domain is already in the Postfix access table.
> 2) Add the domain.
> 3) Rebuild the table.
>
> Example add-domain script:
>
>#!/bin/sh
>
># usage: add-domain name
>
>case $# in
> 1) postmap -q "$1" the-postfix-access-table >/dev/null || {
> echo "$1" OK >>the-postfix-access-table
> postmap the-postfix-access-table
> };;
> *) echo Usage: $0 domainame 1>&2; exit 1;;
>esac
>
> If you handle lots of mail you will want to read and update the
> database files without running postmap commands for each email
> logfile record.
>
> Wietse
This is great info. I'll look into applying that is some form.
I think what I'm still missing is the proper restriction in the
smptd_recipient_restrictions section to restrict the outgoing mail.
check_sender_access hash:/etc/postfix/access
works for incoming blocking. I haven't found the right config for the blocking.
It if is implied in your response I apologize for my in-experience with this.
Thanks.
EW
Re: whitelisting incoming /outgoing mail
Eric Williams:
>
> On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote:
>
> > Eric Williams:
> >> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner
> >> wrote:
> >>
> >>> Eric Williams put forth on 1/5/2010 8:02 AM:
> >>>
> I would like to apply the same access list so that users sending mail
> >>> through this server can only reach those same domains.
>
> I've tried lots of recipient checking configs but nothing works so far.
> >>> I'd rather not do this with the firewall, keeping the whitelist monitored
> >>> by
> >>> postfix only.
> >>>
> >>> So you want a dedicated smtp relay server that will only transfer mail
> >>> between a
> >>> handful of domains?
> >
> > You could use a tool such as Fail2Ban to watch the maillog file
> > and update a Postfix access table.
> >
> > The steps would be
> >
> > 1) See if the domain is already in the Postfix access table.
> > 2) Add the domain.
> > 3) Rebuild the table.
> >
> > Example add-domain script:
> >
> >#!/bin/sh
> >
> ># usage: add-domain name
> >
> >case $# in
> > 1) postmap -q "$1" the-postfix-access-table >/dev/null || {
> > echo "$1" OK >>the-postfix-access-table
> > postmap the-postfix-access-table
> > };;
> > *) echo Usage: $0 domainame 1>&2; exit 1;;
> >esac
> >
> > If you handle lots of mail you will want to read and update the
> > database files without running postmap commands for each email
> > logfile record.
> >
> > Wietse
>
>
>
> This is great info. I'll look into applying that is some form.
>
> I think what I'm still missing is the proper restriction in the
> smptd_recipient_restrictions section to restrict the outgoing mail.
>
> check_sender_access hash:/etc/postfix/access
>
> works for incoming blocking. I haven't found the right config for the
> blocking.
>
> It if is implied in your response I apologize for my in-experience with this.
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_sender_access hash:/etc/postfix/sender_access
reject
Wietse
Re: whitelisting incoming /outgoing mail
On Jan 5, 2010, at 10:13 AM, Wietse Venema wrote:
> Eric Williams:
>>
>> On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote:
>>
>>> Eric Williams:
On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner
wrote:
> Eric Williams put forth on 1/5/2010 8:02 AM:
>
>> I would like to apply the same access list so that users sending mail
> through this server can only reach those same domains.
>>
>> I've tried lots of recipient checking configs but nothing works so far.
> I'd rather not do this with the firewall, keeping the whitelist monitored
> by
> postfix only.
>
> So you want a dedicated smtp relay server that will only transfer mail
> between a
> handful of domains?
>>>
>>> You could use a tool such as Fail2Ban to watch the maillog file
>>> and update a Postfix access table.
>>>
>>> The steps would be
>>>
>>> 1) See if the domain is already in the Postfix access table.
>>> 2) Add the domain.
>>> 3) Rebuild the table.
>>>
>>> Example add-domain script:
>>>
>>> #!/bin/sh
>>>
>>> # usage: add-domain name
>>>
>>> case $# in
>>>1) postmap -q "$1" the-postfix-access-table >/dev/null || {
>>> echo "$1" OK >>the-postfix-access-table
>>> postmap the-postfix-access-table
>>> };;
>>>*) echo Usage: $0 domainame 1>&2; exit 1;;
>>> esac
>>>
>>> If you handle lots of mail you will want to read and update the
>>> database files without running postmap commands for each email
>>> logfile record.
>>>
>>> Wietse
>>
>>
>>
>> This is great info. I'll look into applying that is some form.
>>
>> I think what I'm still missing is the proper restriction in the
>> smptd_recipient_restrictions section to restrict the outgoing mail.
>>
>> check_sender_access hash:/etc/postfix/access
>>
>> works for incoming blocking. I haven't found the right config for the
>> blocking.
>>
>> It if is implied in your response I apologize for my in-experience with
>> this.
>
> smtpd_sender_restrictions =
>permit_mynetworks
>permit_sasl_authenticated
>check_sender_access hash:/etc/postfix/sender_access
>reject
>
> Wietse
Thanks for the pointer. It still doesn't seem to be working to restrict
outgoing email to a list of domains. I'll keep digging in and testing but if
I'm missing something very obvious please be as blunt as you like. This is my
first attempt at these type of mods.
Thanks.
EW
Re: whitelisting incoming /outgoing mail
On 1/5/2010 8:02 AM, Eric Williams wrote: I've modified smtpd_recipient_restrictions to block incoming email with a whitelist (/etc/postfix/access) as follows: smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/access reject This works great so that entries in /etc/postfix/access like: gmail.com OK harvard.edu OK allow incoming email from those domains, all others are rejected. I would like to apply the same access list so that users sending mail through this server can only reach those same domains. I've tried lots of recipient checking configs but nothing works so far. I'd rather not do this with the firewall, keeping the whitelist monitored by postfix only. Any suggestions? Thanks. add to main.cf: smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/access permit_auth_destination reject Leave your smtpd_recipient_restrictions as they are shown above. This assumes the same domains are allowed for both incoming and outgoing, and also allows local users to send local mail. If you need to block local<->local, it gets trickier. -- Noel Jones
Re: whitelisting incoming /outgoing mail
On Jan 5, 2010, at 10:56 AM, Noel Jones wrote: > On 1/5/2010 8:02 AM, Eric Williams wrote: >> I've modified smtpd_recipient_restrictions to block incoming email with a >> whitelist (/etc/postfix/access) as follows: >> >> smtpd_recipient_restrictions = >> permit_sasl_authenticated >> permit_mynetworks >> reject_unauth_destination >> check_sender_access hash:/etc/postfix/access >> reject >> >> This works great so that entries in /etc/postfix/access like: >> >> gmail.comOK >> harvard.edu OK >> >> allow incoming email from those domains, all others are rejected. >> >> I would like to apply the same access list so that users sending mail >> through this server can only reach those same domains. >> >> I've tried lots of recipient checking configs but nothing works so far. I'd >> rather not do this with the firewall, keeping the whitelist monitored by >> postfix only. >> >> Any suggestions? Thanks. > > add to main.cf: > smtpd_sender_restrictions = > check_recipient_access hash:/etc/postfix/access > permit_auth_destination > reject > > Leave your smtpd_recipient_restrictions as they are shown above. This > assumes the same domains are allowed for both incoming and outgoing, and also > allows local users to send local mail. If you need to block local<->local, > it gets trickier. > > -- Noel Jones That did the trick! Thanks to all! EW
