Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Martin Fahrendorf
Am Donnerstag, 26. Juni 2003 17:35 schrieb Ralph Crongeyer:
> 'netstat -napt' doesn't reveal anything odd.
> Ok so when I have
> smtpd_recipient_restrictions = permit_mynetworks, check_recepient_access
> hash:/etc/postfix/access, check_relay_domains
>
> It will relay for any host. Even if the /etc/postfix/access is empty (no IP
> addresses).

No, It will not relay for any host. Not by default. so what is in mynetworks 
and what is in relay_domains. Or simply, add the output from postconf -n

>
> I thought that the "/etc/postfix/access" files list of address would only
> permit those machines to relay e-mail??? Is this right??

Not entirely. It allows receiving mails too. The restriction classes are 
somwhat difficult.

>
> Here is my situation. I need to have the mail server accept e-mail for the
> entire domain but only allow certin clients (or routers, for networks that
> masqurade ip addresses) to relay e-mail through the server.

So take the default postfix configuration, change the mydestination to accept 
your domain mails, change the mynetworks and mynetworks_style to accept mails 
on any network devices you plug in your host, add permit_sasl_authenticated 
to your recipient restriction and add smtpd_sasl_* stuff to main.cf. Now you 
have to give usernames and passwords (via saslpasswd if you want to use 
sasldb) to your users you want to relay and up it goes.

Beware, user password are mostly send unencrypted over the net, so use SSL/TLS 
encryption with postfix.

>
> Thanks Ralph

Martin

-- 

H E L I X Gesellschaft für Software & Engineering mbH

Hanauer Landstrasse 52  Telefon (069) 4789 35-30
D-60314 Frankfurt am Main   Telefax (069) 4789 35-44

http://www.helix-gmbh.net[EMAIL PROTECTED]



pgp0.pgp
Description: signature


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Vox
On September 1993 plus 3585 days Praedor Atrebates wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I was under the impression that postfix, by default, didn't work/operate as an 
> open relay.  Does one actually need to alter the config to stop postfix 
> working as an open relay?  

  No, one needs to alter the config to *start* postfix as an open
  relay. By default is a closed server that only accepts mail from
  localhost. 

  Vox

-- 
Think of the Linux community as a niche economy isolated by its beliefs.  Kind
of like the Amish, except that our religion requires us to use _higher_
technology than everyone else.   -- Donald B. Marti Jr.


pgp0.pgp
Description: PGP signature


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Praedor Atrebates
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I was under the impression that postfix, by default, didn't work/operate as an 
open relay.  Does one actually need to alter the config to stop postfix 
working as an open relay?  

I am not presently running postfix, though I have in the past and will likely 
again, but I considered it rock-safe wrt open relaying.

praedor

On Thursday 26 June 2003 07:37 am, Martin Fahrendorf wrote:
> Am Donnerstag, 26. Juni 2003 13:28 schrieb Pierre Fortin:
> > On Thu, 26 Jun 2003 07:40:35 +0200 Martin Fahrendorf
> >
> > <[EMAIL PROTECTED]> wrote:
> > > Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer:
> > > > smtpd_recipient_restrictions = permit_mynetworks,
> > > > check_client_access, hash:/etc/postfix/access, check_relay_domains
> > >
> > > Btw: does your smtpd_recipient_restrictions relay look like the list
> > > above? There should be a warning or an error in the logfiles (in
> > > /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions
> > > should look like this (there is no comma between check_client_access
> > > and the hash table) :
[...]
> > No, both forms are OK -- though it's easier to make mistakes with the
> > comma separated list.  The "leading space" form is better IMO, cleaner
> > (then again, I prefer Python).  IIRC, don't put comments in the middle
> > though...
>
> Jep, thats right. Postfix treats commas like whitespaces. But nevertheless,
> the given restriction does not work (there must be a warning or a error
> from postfix). You can not continue one line without a leading whitspace in
> the continued line. But I think that is only a mailer issue (word wrap).
>
> Martin

- -- 
Not a single 9/11 terrorist came from Iraq, nor did a single one train in 
Iraq. Iraq had NOTHING to do with 9/11.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE++0LzaKr9sJYeTxgRAohLAJ4pltCxAS2bOypKzw3BnApz6BsuOgCgjU8T
tQ3xb1lf0dMogh8JdSDrM1I=
=OFPF
-END PGP SIGNATURE-

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Ralph Crongeyer
'netstat -napt' doesn't reveal anything odd.
Ok so when I have
smtpd_recipient_restrictions = permit_mynetworks, check_recepient_access 
hash:/etc/postfix/access, check_relay_domains

It will relay for any host. Even if the /etc/postfix/access is empty (no IP 
addresses).

I thought that the "/etc/postfix/access" files list of address would only 
permit those machines to relay e-mail??? Is this right??

Here is my situation. I need to have the mail server accept e-mail for the 
entire domain but only allow certin clients (or routers, for networks that 
masqurade ip addresses) to relay e-mail through the server.

Thanks Ralph


On Thursday 26 June 2003 09:36 am, Martin Fahrendorf wrote:
> Am Donnerstag, 26. Juni 2003 15:23 schrieb Ralph Crongeyer:
> > Thanks for the tip, i'll try it.
> >
> > BTW, I can stop Postfix uninstall it and can still relay e-mail!!!
> > What the heck is that all about? I mean imap shouldn't relay messages,
> > right?? It's like there is another MTA running?
> >
> > Ralph
>
> Check ich a server is running. 'netstat -napt' will tell you all open
> ports.
>
> Martin


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Ralph Crongeyer
Thanks for the tip, i'll try it.

BTW, I can stop Postfix uninstall it and can still relay e-mail!!!
What the heck is that all about? I mean imap shouldn't relay messages, right??
It's like there is another MTA running?

Ralph


On Wednesday 25 June 2003 05:39 pm, Miark wrote:
> I'm not a Postfix guru, but I know that on my simple setup relay access is
> governed by mynetworks. Try messing with it.
>
> Miark
>
>
> On Wed, 25 Jun 2003 12:11:50 -0400
>
> Ralph Crongeyer <[EMAIL PROTECTED]> wrote:
> > On Wednesday 25 June 2003 11:37 am, Miark wrote:
> >
> > It's not set. Default I guess?
> >
> > > mynetworks is set to what?
> > >
> > > Miark
> > >
> > > On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer
> > > <[EMAIL PROTECTED]>
> >
> > wrote:
> > > > But now, with this setup, anyone can send mail through? i.e. "Open
> > > > Relay".
> > > >
> > > > I need it to be able to send mail for the entire domain and some
> > > > clients outside the domain.


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Martin Fahrendorf
Am Donnerstag, 26. Juni 2003 15:23 schrieb Ralph Crongeyer:
> Thanks for the tip, i'll try it.
>
> BTW, I can stop Postfix uninstall it and can still relay e-mail!!!
> What the heck is that all about? I mean imap shouldn't relay messages,
> right?? It's like there is another MTA running?
>
> Ralph
>

Check ich a server is running. 'netstat -napt' will tell you all open ports.

Martin

-- 

H E L I X Gesellschaft für Software & Engineering mbH

Hanauer Landstrasse 52  Telefon (069) 4789 35-30
D-60314 Frankfurt am Main   Telefax (069) 4789 35-44

http://www.helix-gmbh.net[EMAIL PROTECTED]



pgp0.pgp
Description: signature


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Martin Fahrendorf
Am Donnerstag, 26. Juni 2003 13:28 schrieb Pierre Fortin:
> On Thu, 26 Jun 2003 07:40:35 +0200 Martin Fahrendorf
>
> <[EMAIL PROTECTED]> wrote:
> > Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer:
> > > smtpd_recipient_restrictions = permit_mynetworks, check_client_access,
> > > hash:/etc/postfix/access, check_relay_domains
> >
> > Btw: does your smtpd_recipient_restrictions relay look like the list
> > above? There should be a warning or an error in the logfiles (in
> > /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions
> > should look like this (there is no comma between check_client_access and
> > the hash table) :
> >
> > smtpd_recipient_restrictions =
> > reject_unknown_recipient_domain
> > reject_unknown_sender_domain
> > reject_non_fqdn_sender
> > reject_non_fqdn_recipient
> > permit_mynetworks
> > check_client_access hash:/etc/postfix/access
> > reject_unauth_destination
>
> No, both forms are OK -- though it's easier to make mistakes with the
> comma separated list.  The "leading space" form is better IMO, cleaner
> (then again, I prefer Python).  IIRC, don't put comments in the middle
> though...

Jep, thats right. Postfix treats commas like whitespaces. But nevertheless, 
the given restriction does not work (there must be a warning or a error from 
postfix). You can not continue one line without a leading whitspace in the 
continued line. But I think that is only a mailer issue (word wrap).

Martin
-- 

H E L I X Gesellschaft für Software & Engineering mbH

Hanauer Landstrasse 52  Telefon (069) 4789 35-30
D-60314 Frankfurt am Main   Telefax (069) 4789 35-44

http://www.helix-gmbh.net[EMAIL PROTECTED]



pgp0.pgp
Description: signature


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Pierre Fortin
On Thu, 26 Jun 2003 07:40:35 +0200 Martin Fahrendorf
<[EMAIL PROTECTED]> wrote:

> Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer:

> > smtpd_recipient_restrictions = permit_mynetworks, check_client_access,
> > hash:/etc/postfix/access, check_relay_domains

> Btw: does your smtpd_recipient_restrictions relay look like the list
> above? There should be a warning or an error in the logfiles (in
> /var/log/mail) about a mistyping. Normaly smtpd_recipient_restrictions
> should look like this (there is no comma between check_client_access and
> the hash table) :
> 
> smtpd_recipient_restrictions =
> reject_unknown_recipient_domain
> reject_unknown_sender_domain
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> permit_mynetworks
> check_client_access hash:/etc/postfix/access
> reject_unauth_destination

No, both forms are OK -- though it's easier to make mistakes with the
comma separated list.  The "leading space" form is better IMO, cleaner
(then again, I prefer Python).  IIRC, don't put comments in the middle
though...


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Martin Fahrendorf
Am Mittwoch, 25. Juni 2003 16:49 schrieb Ralph Crongeyer:

Hi Ralph,

> Hi all,
>
> I have been using postfix for about a year or so and I needed to change my
> configuration and now I can't seem to get it working the same way I had it.
>
> At the end of my /etc/postfix/main.cf file I have:
>
> mydestination = $myhostname, localhost.$mydomain, $mydomain
> myorigin = $mydomain
> smtpd_recipient_restrictions = permit_mynetworks, check_client_access,
> hash:/etc/postfix/access, check_relay_domains
>
> and then in the /etc/postfix/access I have:
>
> 111.222.333.444   OK
> 222.333.444.555   OK
>
> and so on.
>
> But now, with this setup, anyone can send mail through? i.e. "Open Relay".

No, normaly not (if all your listed IP addresse ar static to the hosts you 
want to relay).

>
> I need it to beable to send mail for the entire domain and some clients
> outside the domain.

The entire domain is matched by the mynetwork stuff. the outsiders should use 
smtp-auth.

>
> Ralph

Don't use access-file to allow relaying unless the IP addresses you listed are 
absolute static. Use smtp auth instead. This is more flexible and users from 
dynamic IP addresses can relay through you mailserver too.

Btw: does your smtpd_recipient_restrictions relay look like the list above? 
There should be a warning or an error in the logfiles (in /var/log/mail) 
about a mistyping. Normaly smtpd_recipient_restrictions should look like this 
(there is no comma between check_client_access and the hash table) :

smtpd_recipient_restrictions =
reject_unknown_recipient_domain
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_mynetworks
check_client_access hash:/etc/postfix/access
reject_unauth_destination

and did you rehash the access file?

Martin
-- 

H E L I X Gesellschaft für Software & Engineering mbH

Hanauer Landstrasse 52  Telefon (069) 4789 35-30
D-60314 Frankfurt am Main   Telefax (069) 4789 35-44

http://www.helix-gmbh.net[EMAIL PROTECTED]



pgp0.pgp
Description: signature


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-26 Thread Pierre Fortin
On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]>
wrote:

> Hi all,
> 
> I have been using postfix for about a year or so and I needed to change
> my configuration and now I can't seem to get it working the same way I
> had it.
> 
> At the end of my /etc/postfix/main.cf file I have:
> 
> mydestination = $myhostname, localhost.$mydomain, $mydomain
> myorigin = $mydomain
> smtpd_recipient_restrictions = permit_mynetworks, check_client_access, 
> hash:/etc/postfix/access, check_relay_domains
> 
> and then in the /etc/postfix/access I have:
> 
> 111.222.333.444   OK
> 222.333.444.555   OK
> 
> and so on.
> 
> But now, with this setup, anyone can send mail through? i.e. "Open
> Relay".
> 
> I need it to beable to send mail for the entire domain and some clients 
> outside the domain.
> 
> Ralph


See my page at http://pfortin.com/Linux/PostFix/ -- it needs some
updating; but you may find the answer there...


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-25 Thread Miark
I'm not a Postfix guru, but I know that on my simple setup relay access is governed by
mynetworks. Try messing with it.

Miark 


On Wed, 25 Jun 2003 12:11:50 -0400
Ralph Crongeyer <[EMAIL PROTECTED]> wrote:

> On Wednesday 25 June 2003 11:37 am, Miark wrote:
> 
> It's not set. Default I guess?
> 
> > mynetworks is set to what?
> >
> > Miark
> >
> > On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> 
> wrote:
> > > But now, with this setup, anyone can send mail through? i.e. "Open
> > > Relay".
> > >
> > > I need it to be able to send mail for the entire domain and some clients
> > > outside the domain.
> 
> 
> 

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-25 Thread Ralph Crongeyer
On Wednesday 25 June 2003 11:37 am, Miark wrote:

It's not set. Default I guess?

> mynetworks is set to what?
>
> Miark
>
> On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> 
wrote:
> > But now, with this setup, anyone can send mail through? i.e. "Open
> > Relay".
> >
> > I need it to be able to send mail for the entire domain and some clients
> > outside the domain.


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] "Open relay" using Postfix. Need config help.

2003-06-25 Thread Miark
mynetworks is set to what?

Miark


On Wed, 25 Jun 2003 10:49:52 -0400 Ralph Crongeyer <[EMAIL PROTECTED]> wrote:

> But now, with this setup, anyone can send mail through? i.e. "Open Relay".
> 
> I need it to be able to send mail for the entire domain and some clients 
> outside the domain.

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com