LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   How to limit who can send to an email account (postfix, amavis, OS X 10.6)… (https://www.linuxquestions.org/questions/%2Absd-17/how-to-limit-who-can-send-to-an-email-account-postfix-amavis-os-x-10-6-%85-805696/)

andrewggrant 05-03-2010 02:49 PM
How to limit who can send to an email account (postfix, amavis, OS X 10.6)…
 
Hello all,

I have just setup an OS X 10.6 server and manually configured the aliases, spam assassin, and amavisd.conf. This is my first foray into working with a mail server so I may be missing some basic concepts. I am hoping you will be able to assist me.

I want to be able to limit/restrict who or what email accounts are able to send to our internal mailing lists/alias groups listed in the /etc/postfix/aliases file.

I would like to limit several accounts like so:

account1@mydomain.com - Send Only (will reject all email sent to it)
account2@mydomain.com - Receive email from abc@mydomain.com & def@mydomain.com only, all other addresses attempting to send to this account will be rejected / blocked.
everyone@mydomain.com - Only receive email from a list of 5 email accounts.

I hope this makes sense. I have forced all users to login to send/receive email. I am hoping that these credentials can be used to validate their ability to use the above email mail lists / alias groups for sending internal email to many accounts at once.

My only experience so far with restrictions was to create a policy in Postfix' main.cf that restricts certain accounts from sending email outside of our domain like so:

smtpd_restriction_classes = allowed_only
allowed_only = check_recipient_access hash:/etc/postfix/allowed_domains, reject
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders permit_sasl_authenticated reject_unauth_destination permit


I am hoping someone can enlighten me as to how to similarly restrict who is able to send email to specific internal accounts / aliases / alias groups.

rweaver 05-03-2010 03:32 PM
Off the top of my head I don't know a way to do this in postfix, although you could probably implement some version of this with a custom procmail script. For complex usage I generally recommend using exim as it's a lot (read: ~alot~) more flexible than sendmail and postfix in doing just about anything you could possibly want to do with mail... postfix isn't quite so flexible, its designed to put security as its major concern and you lose some flexibility because of that.

andrewggrant 05-03-2010 06:51 PM
Since I am so new to these forums, I decided to post more information in the hopes that it would help a more skilled Postfix user.

Here is what I have so far in the main.cf:

smtpd_restriction_classes = allowed_only, everyone_access, send_only,
mgmt_access

allowed_only = check_recipient_access hash:/etc/postfix/allowed_domains, reject
everyone_access = check_recipient_access
hash:/etc/postfix/everyone_access, reject
send_only = check_recipient_access hash:/etc/postfix/send_only, reject
mgmt_access = check_recipient_access hash:/etc/postfix/mgmt_access, reject

smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/restricted_senders check_recipient_access
hash:/etc/postfix/restricted_recipients permit_sasl_authenticated
reject_unauth_destination

restricted_senders FILE CONTENTS:
acct1@mydomain.com allowed_only
acct2@mydomain.com allowed_only
acct3@mydomain.com allowed_only
acct4@mydomain.com allowed_only

restricted_recipients FILE CONTENTS:
acct10@mydomain.com send_only
acct11@mydomain.com everyone_access
acct12@mydomain.com mgmt_access
acct13@mydomain.com send_only
acct14@mydomain.com mgmt_team

allowed_domains FILE CONTENTS:
mydomain.com OK

everyone_access FILE CONTENTS:
acct20@mydomain.com OK
acct21@mydomain.com OK

send_only FILE CONTENTS:
<blank… Nothing in the File>

mgmt_access FILE CONTENTS:
acct30@mydomain.com OK


OUTPUT from postconf -n COMMAND:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.com
mydomain_fallback = localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = msg.mydomain.com
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtpd_client_restrictions = permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5,gssapi
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders check_recipient_access hash:/etc/postfix/restricted_recipients permit_sasl_authenticated reject_unauth_destination
smtpd_restriction_classes = allowed_only, everyone_access, send_only, mgmt_access
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/mail.mydomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
smtpd_tls_cert_file = /etc/certificates/mail.mydomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.mydomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =


I hope this helps.

andrewggrant 05-10-2010 02:27 PM
Solution:

It seems that I did not define "restricted_senders" and
"restricted_recipients" in my "smtpd_restriction_classes" line.

Once those two were added, and the "mgmt_access" was chnged to
"check_sender_access" everything worked just great.

andrewggrant 05-10-2010 02:27 PM
Solution:

It seems that I did not define "restricted_senders" and
"restricted_recipients" in my "smtpd_restriction_classes" line.

Once those two were added, and the "mgmt_access" was chnged to
"check_sender_access" everything worked just great.

lqtung 02-17-2011 02:23 AM
only some user can send mail to alias
 
I have the same problem as andrewggrant. I want grant only one email admin@abc.gov.vn can send email to everyone@abc.gov.vn.
All other email send to everyone@abc.gov.vn will be reject.
Are you solve this problem? I hope you can help me, thank so much.


All times are GMT -5. The time now is 10:13 PM.