I'm using postfix __ smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
I think is there that I can restrict.. do you know how I can do it? Regards, Pedro Antunes On 25/01/2019, 19:39, "Pedro Antunes" <pantu...@suroot.pt> wrote: How I can check it? I'm using mailcow with dovecote. Thanks in advance, Pedro Antunes On 25/01/2019, 18:13, "Christoph Kreutzer" <kreutzer.christ...@gmail.com> wrote: Hi Pedro, Do you use Postfix as MTA? Then it should be possible. Actually, you can do quite the same with any other lookup instead of LDAP (I also use one regexp as you can see): http://www.postfix.org/DATABASE_README.html#types If your user source is e.g. MySQL or Postgres, you can use that, too. Or as the easiest forms in files there are the hash and texthash types. So if you want to replace my ldap-internal_user_lookup.cf, you could use a file of allowed senders in the following format (type texthash): us...@example.com OK us...@example.com OK ldap-check_recipient_access.cf is the same, but you should have a list that returns, so like: li...@example.com internal_user_lookup li...@example.com internal_user_lookup Instead of texthash, it is usually better to use hash. For texthash, you need to reload postfix to make it pick up the changes. For hash, you only need to run postmap on the file (see the doc above). Best regards, Christoph > Am 25.01.2019 um 17:24 schrieb Pedro Antunes <pantu...@suroot.pt>: > > Thanks for your help. > > Without LDAP, I can restrict senders? > > Exists any config file to this? > > Regards, > Pedro Antunes > > From: Christoph Kreutzer <kreutzer.christ...@gmail.com> > Date: Friday, 25 January 2019 at 15:59 > To: "users@sogo.nu" <users@sogo.nu> > Cc: "pantu...@suroot.pt" <pantu...@suroot.pt> > Subject: Re: [SOGo] Alias for all mailboxes > > Hi, > > I implemented something like that in the backend, too. I’m using OpenLDAP. > > I have a script (PHP CLI script as part of a Zend Framework management frontend) that uses a config file containing some LDAP searches to automatically add/remove users to/from groups based on some attributes. That part is hard to share, but it shouldn’t be too hard implementing it with some Shell script if you are using the LDAP backend, too. > > Regarding restrictions: > As MJ proposed, I handle that in Postfix. > > In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, there is a section: > # allow setting action internal_user_lookup to disallow non-listed users as sender > smtpd_restriction_classes = > internal_user_lookup > internal_user_lookup = > check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf, > # reject if not successful > check_recipient_access regexp:/etc/postfix/regexp-check_recipient_access-reject, > reject > > ldap-internal_user_lookup.cf looks like this: > # resolve all mail addresses to OK (for checking of internal users) > query_filter = (&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s))) > result_attribute = mail > result_format = OK > (LDAP config is missing here) > > regexp-check_recipient_access-reject: > # the same message for all > /^(.*)$/ 550 5.4.1 Delivery to this mailbox is not permitted for you > > You see the point - if the sender address is somewhere in my Directory, the LDAP result returns OK - Mail is accepted. Otherwise, it returns no result and the second check is performed. > > # postmap -q kreutzer.christ...@yesthatsmymail.com ldap:/etc/postfix/ldap-internal_user_lookup.cf > OK > # postmap -q kreutzer.christ...@example.com ldap:/etc/postfix/ldap-internal_user_lookup.cf > (no result) > # postmap -q kreutzer.christ...@example.com regexp:/etc/postfix/regexp-check_recipient_access-reject > 550 5.4.1 Delivery to this mailbox is not permitted for you > > That always returns the 550 so the message will be rejected. > > > But how is internal_user_lookup actually enforced? This is how I’ve got it done: > ldap-check_recipient_access.cf: > # get recipient policy for a mail group > query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s))) > result_attribute = mgrpBroadcasterPolicy > > main.cf again: > smtpd_recipient_restrictions = > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_unlisted_recipient, > [...] > check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf, > reject_unverified_recipient > > So, for every incoming mail I make a call to that LDAP search above. If the group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup (that’s the only value that will be set at the moment, otherwise it won’t exist), the defined smtpd_restriction_class is called. Which does what I described above. > > Hope that helps :-) The postfix docs are actually really good, but it’s complex to implement. Sometimes you just need a test setup. I got started there, I believe: http://www.postfix.org/LDAP_README.html > > Best regards, > Christoph > > > Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu) <users@sogo.nu>: > > Hi, > > On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote: > > Hi, > how i can create an distribution list (alias) that contain all mailboxes of one domain? its possible? > It’s possible restrict who can send emails to one alias? > > We do this in our accounts backend (ldap/AD) by creating a group, give it an email address, and add users to it. > > Then in sogo.conf we add a specific user source, something like: > > > type = ldap; > CNFieldName = displayName; > IDFieldName = cn; > UIDFieldName = uid; > baseDN = "CN=Groups,DC=...."; > canAuthenticate = NO; > bindDN = "cn=sogo-groups,cn=....."; > bindPassword = ....; > displayName = "Our groups"; > listRequiresDot = NO; > MailFieldNames =(mail, otherMailbox, proxyAddresses); > id = ad-mail-groups; > isAddressBook = YES; > port = 389; > scope = "SUB"; > filter = "(objectClass=group)"; > > You also need to configure postfix to handle these same groups. > > About restrictions: I guess I'd look at the postfix side of things for restrictions. But I don't have an answer ready for you. > > MJ > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists