Re: Sender and recipient restrictions
Le 23/01/2011 03:45, IT geek 31 a écrit : A recent poster asked for configuration to be checked, and it has made me question my own sender and recipient restrictions: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit Having looked at my recipient restrictions, I see that I am checking my sender_access again. Is this right? it works but is useless. you can remove smtpd_sender_restrictions and put all your checks under smtpd_recipient_restrictions, something like this smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient #reject_unlisted_sender #reject_unlisted_recipient reject_unauth_pipelining check_sender_access hash:/usr/pkg/etc/postfix/sender_access reject_unknown_sender_domain reject_unknown_recipient_domain reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:10023 Should I replace this with: check_recipient_access hash:/usr/pkg/etc/postfix/recipient_access And create a file listing valid users who can receive mail? the list of valid recipients should already be there. you can comment out the lines reject_unlisted_sender reject_unlisted_recipient in the example above top reject invalid senders/recipients soon enough. you can of course add a check_recipient_access line to add checks on recipients. I have read postconf(5) and I that is my understanding. Any thoughts?
Re: Sender and recipient restrictions
On 23 January 2011 10:15, mouss mo...@ml.netoyen.net wrote: Le 23/01/2011 03:45, IT geek 31 a écrit : A recent poster asked for configuration to be checked, and it has made me question my own sender and recipient restrictions: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit Having looked at my recipient restrictions, I see that I am checking my sender_access again. Is this right? it works but is useless. I think I remember why I put it in there. My sender_access files primarily defines a list of friendly addresses which I do not want to be policy checked. The idea is that if an address is found in this list, it skips past any further checks. you can remove smtpd_sender_restrictions and put all your checks under smtpd_recipient_restrictions, something like this My understanding of postconf(5) is that smtpd_sender_restrictions applies to the MAIL FROM command. For example I have an access file which contains my two friends, Richard and Bill: bill.clin...@whitehouse.gov OK richard.ni...@whitehouse.gov REJECT I also understand smtpd_recipient_restrictions applies to the RCPT TO command. So if I remove that check from smtpd_sender_restrictions and add it to smtpd_recipient_restrictions, then mails from Richard will get through. smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient #reject_unlisted_sender #reject_unlisted_recipient reject_unauth_pipelining check_sender_access hash:/usr/pkg/etc/postfix/sender_access reject_unknown_sender_domain reject_unknown_recipient_domain reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:10023 Should I replace this with: check_recipient_access hash:/usr/pkg/etc/postfix/recipient_access And create a file listing valid users who can receive mail? the list of valid recipients should already be there. Where? I don't think I have defined this anywhere. you can comment out the lines reject_unlisted_sender reject_unlisted_recipient in the example above top reject invalid senders/recipients soon enough. you can of course add a check_recipient_access line to add checks on recipients. I have read postconf(5) and I that is my understanding. Any thoughts?
Re: Sender and recipient restrictions
On 1/23/2011 6:34 AM, IT geek 31 wrote: On 23 January 2011 10:15, moussmo...@ml.netoyen.net wrote: Le 23/01/2011 03:45, IT geek 31 a écrit : A recent poster asked for configuration to be checked, and it has made me question my own sender and recipient restrictions: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit Having looked at my recipient restrictions, I see that I am checking my sender_access again. Is this right? it works but is useless. I think I remember why I put it in there. My sender_access files primarily defines a list of friendly addresses which I do not want to be policy checked. The idea is that if an address is found in this list, it skips past any further checks. you can remove smtpd_sender_restrictions and put all your checks under smtpd_recipient_restrictions, something like this My understanding of postconf(5) is that smtpd_sender_restrictions applies to the MAIL FROM command. No, the different smtpd_*_restrictions define *when* or in what order the checks run. This is further simplified by the sane default smtpd_delay_reject=yes, which delays evaluation of smtpd_{client, helo, sender, recipient}_restrictions until after RCPT TO. The result for the end user is that any section can apply to any data, giving wonderful flexibility for when it's needed, or putting all checks in smtpd_recipient_restrictions, simplifying the setup. For example I have an access file which contains my two friends, Richard and Bill: bill.clin...@whitehouse.gov OK richard.ni...@whitehouse.gov REJECT I also understand smtpd_recipient_restrictions applies to the RCPT TO command. So if I remove that check from smtpd_sender_restrictions and add it to smtpd_recipient_restrictions, then mails from Richard will get through. No, see above. check_recipient_access hash:/usr/pkg/etc/postfix/recipient_access And create a file listing valid users who can receive mail? the list of valid recipients should already be there. Where? I don't think I have defined this anywhere. Postfix should already have a list of valid users. Where the list is depends on what address class your domain is in. http://www.postfix.org/ADDRESS_CLASS_README.html For the common case of a local domain: http://www.postfix.org/LOCAL_RECIPIENT_README.html -- Noel Jones
Re: Sender and recipient restrictions
On 23 January 2011 13:33, Noel Jones njo...@megan.vbhcs.org wrote: No, the different smtpd_*_restrictions define *when* or in what order the checks run. This is further simplified by the sane default smtpd_delay_reject=yes, which delays evaluation of smtpd_{client, helo, sender, recipient}_restrictions until after RCPT TO. The result for the end user is that any section can apply to any data, giving wonderful flexibility for when it's needed, or putting all checks in smtpd_recipient_restrictions, simplifying the setup. Hi Noel, thanks for the help. Sorry to be frustrating, but could you explain that again in simpler terms? Postfix should already have a list of valid users. Where the list is depends on what address class your domain is in. http://www.postfix.org/ADDRESS_CLASS_README.html For the common case of a local domain: http://www.postfix.org/LOCAL_RECIPIENT_README.html -- Noel Jones I believe I am using the local domain class.
Re: Sender and recipient restrictions
On 1/23/11 1:34 PM, IT geek 31 wrote: On 23 January 2011 10:15, moussmo...@ml.netoyen.net wrote: Le 23/01/2011 03:45, IT geek 31 a écrit : A recent poster asked for configuration to be checked, and it has made me question my own sender and recipient restrictions: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit Having looked at my recipient restrictions, I see that I am checking my sender_access again. Is this right? it works but is useless. I think I remember why I put it in there. My sender_access files primarily defines a list of friendly addresses which I do not want to be policy checked. The idea is that if an address is found in this list, it skips past any further checks. Then you have to either repeat it in every restriction phase up to and including the one that checks your policy service, or move all restrictions to smtpd_recipient_restrictions and order them appropriately there. As the documentation explains, each stage in smtpd_mumble_restrictions can only permit the checking to *proceed* to the next stage. There is a difference between *SMTP* stages and restriction checking stages, if smtpd_delay_reject = yes. All stages are checked, but the data of the client, helo, sender and recipient stages are available for checking at EVERY stage. A REJECT, however, is final at every stage, *for the type of parameter under consideration*. If that last seems confusing - if you reject a recipient, the message itself will not be rejected at that point. Only if there are no more recipients, and none were accepted, is the message as a whole rejected. you can remove smtpd_sender_restrictions and put all your checks under smtpd_recipient_restrictions, something like this My understanding of postconf(5) is that smtpd_sender_restrictions applies to the MAIL FROM command. For example I have an access file which contains my two friends, Richard and Bill: bill.clin...@whitehouse.gov OK richard.ni...@whitehouse.gov REJECT I also understand smtpd_recipient_restrictions applies to the RCPT TO command. So if I remove that check from smtpd_sender_restrictions and add it to smtpd_recipient_restrictions, then mails from Richard will get through. No, that is not what happens. The restriction still applies to the stage of the actual check_*, but the point at which a decision is made changes. Take a message FROM joe@domain, TO jim@somewhere, with no other recipients. If you REJECT mail FROM joe@domain before accepting (Permit or OK) mail TO jim@somewhere, the message is rejected. However, if you REJECT mail FROM joe@domain after accepting mail TO jim@somewhere, IN THE SAME STAGE, the result of that stage is PERMIT. The access lists could be identical; only the order of processing is different. -- J.
Re: Sender and recipient restrictions
Le 23/01/2011 13:34, IT geek 31 a écrit : [snip] My understanding of postconf(5) is that smtpd_sender_restrictions applies to the MAIL FROM command. For example I have an access file which contains my two friends, Richard and Bill: bill.clin...@whitehouse.gov OK richard.ni...@whitehouse.gov REJECT I also understand smtpd_recipient_restrictions applies to the RCPT TO command. So if I remove that check from smtpd_sender_restrictions and add it to smtpd_recipient_restrictions, then mails from Richard will get through. you are confused. stages (when a check is run) are different from fields (what field is checked against a map) - smtpd_recipient_restrictions is checked at RCPT TO time. but it acts on any informations that available so far. this includes the sender adress. - the default config is smtpd_delay_reject=yes http://www.postfix.org/postconf.5.html#smtpd_delay_reject [snip] Where? I don't think I have defined this anywhere. local_recipient_maps = ... relay_recipient_maps = ... virtual_mailbox_maps = ... virtual_alias_maps = ... canonical_maps = ... sender_canonical_maps = ... recipient_canonical_maps = ... but that's not the whole thing. you van still bork tehse and get your address validation right. if you know what' you're doing...
Re: Sender and recipient restrictions
On 1/22/2011 9:45 PM, IT geek 31 wrote: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_pipelining, ... (more) The main thing is that reject_unauth destination is immediately after your relay exceptions (permit_mynetworks and such) and before sender_access, assuming sender_access is a list of sites to ONLY override the filters imposed beyond it. The reject_unauth_pipelining is ok, but this can be more securely implemented by appending it in smtpd_data_restrictions: smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining, permit_auth_destination ... (more) Jerrale G. SC Senior Admin
Sender and recipient restrictions
A recent poster asked for configuration to be checked, and it has made me question my own sender and recipient restrictions: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit Having looked at my recipient restrictions, I see that I am checking my sender_access again. Is this right? Should I replace this with: check_recipient_access hash:/usr/pkg/etc/postfix/recipient_access And create a file listing valid users who can receive mail? I have read postconf(5) and I that is my understanding. Any thoughts?
Re: Sender vs recipient restrictions.
Paweł Leśniak a écrit : W dniu 2009-03-18 14:23, Costin Guşă pisze: On Wed, Mar 18, 2009 at 3:11 PM, c...@digital-journal.com wrote: I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas. all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. Wrong. As SMTP session has MAIL FROM before RCPT TO, you can have sender_restrictions in smtpd_recipient_restrictions, but not vice versa (of course you can, but it'd be useless) - recipient is not known during smtp_sender_restrictions part. by default, smtpd_[client|helo|sender|recipient]_restrictions are executed at RCPT TO time. so it's ok to have a check_recipient_access in smtpd_client_restrictions and so on.
Sender vs recipient restrictions.
I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas.
Re: Sender vs recipient restrictions.
On Wed, Mar 18, 2009 at 3:11 PM, c...@digital-journal.com wrote: I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas. all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. from man 5 postconf: smtpd_sender_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the con- text of the MAIL FROM command. [list of restrictions] Other restrictions that are valid in this context [...] · SMTP command specific restrictions described under smtpd_recipi- ent_restrictions. When recipient restrictions are listed under smtpd_sender_restrictions, they have effect onlywith smtpd_delay_reject = yes, so that $smtpd_sender_restrictions is evaluated at the time of the RCPT TO command.
Re: Sender vs recipient restrictions.
W dniu 2009-03-18 14:23, Costin Guşă pisze: On Wed, Mar 18, 2009 at 3:11 PM,c...@digital-journal.com wrote: I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas. all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. Wrong. As SMTP session has MAIL FROM before RCPT TO, you can have sender_restrictions in smtpd_recipient_restrictions, but not vice versa (of course you can, but it'd be useless) - recipient is not known during smtp_sender_restrictions part. from man 5 postconf: smtpd_sender_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the con- text of the MAIL FROM command. Clearly stated right where you pointed. Pawel Lesniak
Re: Sender vs recipient restrictions.
W dniu 2009-03-18 14:23, Costin GuÅÄ pisze: On Wed, Mar 18, 2009 at 3:11 PM,c...@digital-journal.com wrote: I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas. all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. Wrong. As SMTP session has MAIL FROM before RCPT TO, you can have sender_restrictions in smtpd_recipient_restrictions, but not vice versa (of course you can, but it'd be useless) - recipient is not known during smtp_sender_restrictions part. from man 5 postconf: smtpd_sender_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the con- text of the MAIL FROM command. Clearly stated right where you pointed. Pawel Lesniak Thanks for responding. Am I to understand, then, that the proper place for 'reject_unknown_sender_domain' is in sender restrictions? Chas.
Re: Sender vs recipient restrictions.
Paweł Leśniak wrote: W dniu 2009-03-18 14:23, Costin Guşă pisze: On Wed, Mar 18, 2009 at 3:11 PM, c...@digital-journal.com wrote: I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas. all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. Wrong. As SMTP session has MAIL FROM before RCPT TO, you can have sender_restrictions in smtpd_recipient_restrictions, but not vice versa (of course you can, but it'd be useless) - recipient is not known during smtp_sender_restrictions part. from man 5 postconf: smtpd_sender_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the con- text of the MAIL FROM command. Clearly stated right where you pointed. Pawel Lesniak You forgot to scroll down a little further to the Other restrictions valid in this context. -- Noel Jones
Re: Sender vs recipient restrictions.
c...@digital-journal.com wrote: W dniu 2009-03-18 14:23, Costin Guşă pisze: On Wed, Mar 18, 2009 at 3:11 PM,c...@digital-journal.com wrote: I've been reading today about; reject_unknown_sender_domain and I'm wondering if it is only allowed under 'smtpd_sender_restrictions' whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct? thanks, Chas. all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. Wrong. As SMTP session has MAIL FROM before RCPT TO, you can have sender_restrictions in smtpd_recipient_restrictions, but not vice versa (of course you can, but it'd be useless) - recipient is not known during smtp_sender_restrictions part. from man 5 postconf: smtpd_sender_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the con- text of the MAIL FROM command. Clearly stated right where you pointed. Pawel Lesniak Thanks for responding. Am I to understand, then, that the proper place for 'reject_unknown_sender_domain' is in sender restrictions? Chas. The proper place is in context of what you are trying to accomplish. Ignore the false advice that it must be in smtpd_sender_restrictions. The statement above: all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions. is correct, assuming the default setting of smtpd_delay_reject = yes http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions Scroll down to the Other restrictions that are valid in this context section. -- Noel Jones
Dynamic sender and recipient restrictions
Hi folks I've got web application where users can send messages to each other. Messages are e-mails and system base on postfix and roundcube (web client). User A can send message to user B if B has A on his contact list. I need to configure postfix to check restrictions for both sender and receiver. Ie. if there are users A, B and C postfix should allow send mail from A to B and from B to C, but not from A to C. Rules changes as often as contact lists so restrictions cannot be static. Is it possible to create sender and recipient restrictions dynamic, where sender and recipient are selected by sql query? Best regards, Michael
Re: Dynamic sender and recipient restrictions
2009/3/11 Michał Łomnicki michal.lomni...@gmail.com: Is it possible to create sender and recipient restrictions dynamic, where sender and recipient are selected by sql query? Yes and no. Yes because you can use MySQL for a lookup table. http://www.postfix.org/mysql_table.5.html No because I don't believe you can lookup the sender AND recipient at once for this kind of check. For that you need a policy server.
Re: Dynamic sender and recipient restrictions
Micha? ?omnicki wrote: Is it possible to create sender and recipient restrictions dynamic, where sender and recipient are selected by sql query? Yes, you can do this with a policy server. Some pre-built policy servers can be found here: http://www.postfix.org/addon.html#policy Policy server interface documentation: http://www.postfix.org/SMTPD_POLICY_README.html -- Noel Jones
Re: Dynamic sender and recipient restrictions
Yes, you can do this with a policy server. Some pre-built Thank you Noel. That's exactly what I was looking for. Michael
Re: Dynamic sender and recipient restrictions
Yes because you can use MySQL for a lookup table. http://www.postfix.org/mysql_table.5.html No because I don't believe you can lookup the sender AND recipient at once for this kind of check. For that you need a policy server. No because postfix can pass only one argument to where condition? Isn't it possible to pass multiple arguments? I'm just curious, solution with policy server satisfies me.
Re: Dynamic sender and recipient restrictions
Micha? ?omnicki wrote: Yes because you can use MySQL for a lookup table. http://www.postfix.org/mysql_table.5.html No because I don't believe you can lookup the sender AND recipient at once for this kind of check. For that you need a policy server. No because postfix can pass only one argument to where condition? Isn't it possible to pass multiple arguments? I'm just curious, solution with policy server satisfies me. Native postfix lookup mechanisms are based on single key lookups, ie. check_sender_access uses only the sender address as the key. Limited combinations can be pre-defined using smtpd_restriction_classes, but that quickly gets unmanageable. The policy server interface is provided for more complex restriction requirements. -- Noel Jones