On 5/30/2010 6:58 AM, Jeroen Geilman wrote:
On 05/30/2010 01:29 PM, Jarrod Neven wrote:
I am trying to setup restriction to prevent selected users from
sending email externally. I have followed the "Restricting what users
can send mail to off-site destinations" guide at
http://www.postfix.net/RESTRICTION_CLASS_README.html but it is not
having any effect.
Then you have not put the restrictions in the correct order, or you are
lacking restrictions that are required to make it work.
It appears that no matter what I do smtpd_recipient_restrictions has
no effect. Have set the hash file to an invalid file and created
syntax errors and there are no error messages in the log, even set
smtpd_recipient_restrictions = reject and it did nothing.
smtpd_recipient_restrictions is the LAST restriction class to be
applied. if mail was accepted before then, REJECTing it here does nothing.
Incorrect. *Each* smtpd_*_restrictions section must evaluate
to OK or permit. Just because you OK a client in
smtpd_client_restrictions doesn't give them a free ride in
smtpd_recipient_restrictions.
So if you're going to speculate, pick something better.
For a better guess, we need to see log entries of the transaction.
In maser.cf I have added -v -v to the smtpd process and it shows no
mention of the value smtpd_recipient_restrictions, looks like it is
ignored completely.
Is anything that can prevent smtpd_recipient_restrictions from
working? Maybe a compiled option missing?
There are no compile options that will affect this. Show
non-verbose postfix logging of a transaction you feel is
handled incorrectly.
I have postfix 2.5.1 on centos 64bit
#postconf -n
config_directory = /etc/postfix
mail_owner = postfix
setgid_group = postdrop
smtpd_client_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
check_sender_access does not work here; remove it.
It does work here, with the default smtpd_delay_reject = yes.
But the reason to remove it is because you've duplicated the
same check in several places; no need to perform a single
check more than once.
smtpd_delay_reject = no
You NEED this to be "yes".
The default and recommended value is yes. Postfix
restrictions behave differently if you set this to "no"; don't
change it unless you understand the differences and why you
might not want to change it.
This may be the OPs problem. Or maybe the OP is submitting
mail via sendmail(1) rather than via SMTP. Logs will show.
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
This restriction is incomplete.
That is not sufficient by a long shot.
Take a look at the UCE cheat sheet (google for it!)
This critique is also incomplete. Show or quote postfix docs
supporting your assertions, such as:
smtpd_recipient_restrictions must default to reject or defer
so you're not an open relay, please see
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
smtpd_restriction_classes = local_only
Looks OK.
I don't know who told you to set this, but - don't. leave options you
don't understand well enough alone.
I expect the OP is following the RESTRICTION_CLASS_README
examples, as he stated.
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders
This is the first instance where sender checks can be applied.
... unless you use the default/recommended smtpd_delay_reject=yes.
-- Noel Jones
