I'm using postfix __
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_recipient_access
proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname,
reject_unauth_destination
I think is there that I can restrict.. do you know how I can do it?
Regards,
Pedro Antunes
On 25/01/2019, 19:39, "Pedro Antunes" <pantu...@suroot.pt> wrote:
How I can check it?
I'm using mailcow with dovecote.
Thanks in advance,
Pedro Antunes
On 25/01/2019, 18:13, "Christoph Kreutzer" <kreutzer.christ...@gmail.com>
wrote:
Hi Pedro,
Do you use Postfix as MTA? Then it should be possible.
Actually, you can do quite the same with any other lookup instead of
LDAP (I also use one regexp as you can see):
http://www.postfix.org/DATABASE_README.html#types
If your user source is e.g. MySQL or Postgres, you can use that, too.
Or as the easiest forms in files there are the hash and texthash types.
So if you want to replace my ldap-internal_user_lookup.cf, you could
use a file of allowed senders in the following format (type texthash):
us...@example.com OK
us...@example.com OK
ldap-check_recipient_access.cf is the same, but you should have a list
that returns, so like:
li...@example.com internal_user_lookup
li...@example.com internal_user_lookup
Instead of texthash, it is usually better to use hash. For texthash,
you need to reload postfix to make it pick up the changes. For hash, you only
need to run postmap on the file (see the doc above).
Best regards,
Christoph
> Am 25.01.2019 um 17:24 schrieb Pedro Antunes <pantu...@suroot.pt>:
>
> Thanks for your help.
>
> Without LDAP, I can restrict senders?
>
> Exists any config file to this?
>
> Regards,
> Pedro Antunes
>
> From: Christoph Kreutzer <kreutzer.christ...@gmail.com>
> Date: Friday, 25 January 2019 at 15:59
> To: "users@sogo.nu" <users@sogo.nu>
> Cc: "pantu...@suroot.pt" <pantu...@suroot.pt>
> Subject: Re: [SOGo] Alias for all mailboxes
>
> Hi,
>
> I implemented something like that in the backend, too. I’m using
OpenLDAP.
>
> I have a script (PHP CLI script as part of a Zend Framework
management frontend) that uses a config file containing some LDAP searches to
automatically add/remove users to/from groups based on some attributes. That
part is hard to share, but it shouldn’t be too hard implementing it with some
Shell script if you are using the LDAP backend, too.
>
> Regarding restrictions:
> As MJ proposed, I handle that in Postfix.
>
> In main.cf, after smtpd_recipient_restrictions and
smtpd_data_restrictions, there is a section:
> # allow setting action internal_user_lookup to disallow non-listed
users as sender
> smtpd_restriction_classes =
> internal_user_lookup
> internal_user_lookup =
> check_sender_access
ldap:/etc/postfix/ldap-internal_user_lookup.cf,
> # reject if not successful
> check_recipient_access
regexp:/etc/postfix/regexp-check_recipient_access-reject,
> reject
>
> ldap-internal_user_lookup.cf looks like this:
> # resolve all mail addresses to OK (for checking of internal users)
> query_filter =
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
> result_attribute = mail
> result_format = OK
> (LDAP config is missing here)
>
> regexp-check_recipient_access-reject:
> # the same message for all
> /^(.*)$/ 550 5.4.1 Delivery to this mailbox is not permitted
for you
>
> You see the point - if the sender address is somewhere in my
Directory, the LDAP result returns OK - Mail is accepted. Otherwise, it returns
no result and the second check is performed.
>
> # postmap -q kreutzer.christ...@yesthatsmymail.com
ldap:/etc/postfix/ldap-internal_user_lookup.cf
> OK
> # postmap -q kreutzer.christ...@example.com
ldap:/etc/postfix/ldap-internal_user_lookup.cf
> (no result)
> # postmap -q kreutzer.christ...@example.com
regexp:/etc/postfix/regexp-check_recipient_access-reject
> 550 5.4.1 Delivery to this mailbox is not permitted for you
>
> That always returns the 550 so the message will be rejected.
>
>
> But how is internal_user_lookup actually enforced? This is how I’ve
got it done:
> ldap-check_recipient_access.cf:
> # get recipient policy for a mail group
> query_filter =
(&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
> result_attribute = mgrpBroadcasterPolicy
>
> main.cf again:
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unlisted_recipient,
> [...]
> check_recipient_access
ldap:/etc/postfix/ldap-check_recipient_access.cf,
> reject_unverified_recipient
>
> So, for every incoming mail I make a call to that LDAP search above.
If the group has the attribute mgrpBroadcasterPolicy set to
internal_user_lookup (that’s the only value that will be set at the moment,
otherwise it won’t exist), the defined smtpd_restriction_class is called. Which
does what I described above.
>
> Hope that helps :-) The postfix docs are actually really good, but
it’s complex to implement. Sometimes you just need a test setup. I got started
there, I believe: http://www.postfix.org/LDAP_README.html
>
> Best regards,
> Christoph
>
>
> Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu)
<users@sogo.nu>:
>
> Hi,
>
> On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote:
>
> Hi,
> how i can create an distribution list (alias) that contain all
mailboxes of one domain? its possible?
> It’s possible restrict who can send emails to one alias?
>
> We do this in our accounts backend (ldap/AD) by creating a group,
give it an email address, and add users to it.
>
> Then in sogo.conf we add a specific user source, something like:
>
>
> type = ldap;
> CNFieldName = displayName;
> IDFieldName = cn;
> UIDFieldName = uid;
> baseDN = "CN=Groups,DC=....";
> canAuthenticate = NO;
> bindDN = "cn=sogo-groups,cn=.....";
> bindPassword = ....;
> displayName = "Our groups";
> listRequiresDot = NO;
> MailFieldNames =(mail, otherMailbox, proxyAddresses);
> id = ad-mail-groups;
> isAddressBook = YES;
> port = 389;
> scope = "SUB";
> filter = "(objectClass=group)";
>
> You also need to configure postfix to handle these same groups.
>
> About restrictions: I guess I'd look at the postfix side of things
for restrictions. But I don't have an answer ready for you.
>
> MJ
> --
> users@sogo.nu
> https://inverse.ca/sogo/lists
--
users@sogo.nu
https://inverse.ca/sogo/lists
