How to limit who can send to an email account (postfix, amavis, OS X 10.6)…
Hello all,
I have just setup an OS X 10.6 server and manually configured the aliases, spam assassin, and amavisd.conf. This is my first foray into working with a mail server so I may be missing some basic concepts. I am hoping you will be able to assist me. I want to be able to limit/restrict who or what email accounts are able to send to our internal mailing lists/alias groups listed in the /etc/postfix/aliases file. I would like to limit several accounts like so: account1@mydomain.com - Send Only (will reject all email sent to it) account2@mydomain.com - Receive email from abc@mydomain.com & def@mydomain.com only, all other addresses attempting to send to this account will be rejected / blocked. everyone@mydomain.com - Only receive email from a list of 5 email accounts. I hope this makes sense. I have forced all users to login to send/receive email. I am hoping that these credentials can be used to validate their ability to use the above email mail lists / alias groups for sending internal email to many accounts at once. My only experience so far with restrictions was to create a policy in Postfix' main.cf that restricts certain accounts from sending email outside of our domain like so: smtpd_restriction_classes = allowed_only allowed_only = check_recipient_access hash:/etc/postfix/allowed_domains, reject smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders permit_sasl_authenticated reject_unauth_destination permit I am hoping someone can enlighten me as to how to similarly restrict who is able to send email to specific internal accounts / aliases / alias groups. |
Off the top of my head I don't know a way to do this in postfix, although you could probably implement some version of this with a custom procmail script. For complex usage I generally recommend using exim as it's a lot (read: ~alot~) more flexible than sendmail and postfix in doing just about anything you could possibly want to do with mail... postfix isn't quite so flexible, its designed to put security as its major concern and you lose some flexibility because of that.
|
Since I am so new to these forums, I decided to post more information in the hopes that it would help a more skilled Postfix user.
Here is what I have so far in the main.cf: smtpd_restriction_classes = allowed_only, everyone_access, send_only, mgmt_access allowed_only = check_recipient_access hash:/etc/postfix/allowed_domains, reject everyone_access = check_recipient_access hash:/etc/postfix/everyone_access, reject send_only = check_recipient_access hash:/etc/postfix/send_only, reject mgmt_access = check_recipient_access hash:/etc/postfix/mgmt_access, reject smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders check_recipient_access hash:/etc/postfix/restricted_recipients permit_sasl_authenticated reject_unauth_destination restricted_senders FILE CONTENTS: acct1@mydomain.com allowed_only acct2@mydomain.com allowed_only acct3@mydomain.com allowed_only acct4@mydomain.com allowed_only restricted_recipients FILE CONTENTS: acct10@mydomain.com send_only acct11@mydomain.com everyone_access acct12@mydomain.com mgmt_access acct13@mydomain.com send_only acct14@mydomain.com mgmt_team allowed_domains FILE CONTENTS: mydomain.com OK everyone_access FILE CONTENTS: acct20@mydomain.com OK acct21@mydomain.com OK send_only FILE CONTENTS: <blank… Nothing in the File> mgmt_access FILE CONTENTS: acct30@mydomain.com OK OUTPUT from postconf -n COMMAND: biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all local_recipient_maps = mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = message_size_limit = 0 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = mydomain.com mydomain_fallback = localhost myhostname = mail.mydomain.com mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241 newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = msg.mydomain.com sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtpd_client_restrictions = permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_pw_server_security_options = cram-md5,gssapi smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders check_recipient_access hash:/etc/postfix/restricted_recipients permit_sasl_authenticated reject_unauth_destination smtpd_restriction_classes = allowed_only, everyone_access, send_only, mgmt_access smtpd_sasl_auth_enable = yes smtpd_tls_CAfile = /etc/certificates/mail.mydomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem smtpd_tls_cert_file = /etc/certificates/mail.mydomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/mail.mydomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem smtpd_use_pw_server = yes smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = I hope this helps. |
Solution:
It seems that I did not define "restricted_senders" and "restricted_recipients" in my "smtpd_restriction_classes" line. Once those two were added, and the "mgmt_access" was chnged to "check_sender_access" everything worked just great. |
Solution:
It seems that I did not define "restricted_senders" and "restricted_recipients" in my "smtpd_restriction_classes" line. Once those two were added, and the "mgmt_access" was chnged to "check_sender_access" everything worked just great. |
only some user can send mail to alias
I have the same problem as andrewggrant. I want grant only one email admin@abc.gov.vn can send email to everyone@abc.gov.vn.
All other email send to everyone@abc.gov.vn will be reject. Are you solve this problem? I hope you can help me, thank so much. |
All times are GMT -5. The time now is 10:13 PM. |