Hello,
I have been trying to configure smtpd_restriction_classes to limit access to my internal mailing lists (/etc/aliases). Unfortunately the email is still going through even though I thought I blocked all email to a specific alias via a class.
To hopefully clear up any confusion, I want to concentrate on one class only. That is the "mgmt_access" class. This is meant to stop all email going to the "management.team@testdomain.com" list unless it originates from one address, "notify@testdomain.com".
The two files that affect this are: restricted_recipients and mgmt_access. Those files look like this:
restricted_recipients:
management.team@testdomain.com mgmt_access
mgmt_access:
notify@testdomain.com OK
Unfortunately, all email sent to "management.team@testdomain.com" is currently allowed through.
The logs for an email sent to that account look like this:
May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: connect from andrew-grant.testdomain.com[10.1.2.166]
May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: 342418FAD8: client=andrew-grant.testdomain.com[10.1.2.166], sasl_method=CRAM-MD5, sasl_username=andrewgrant
May 6 15:42:39 miniserve-rmd-1 postfix/cleanup[56249]: 342418FAD8: message-id=<DA037CCF-CC2E-4D59-B8F6-20BCBD55C644@testdomain.com>
May 6 15:42:39 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: from=<andrewgrant@testdomain.com>, size=6283, nrcpt=1 (queue active)
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: connect from localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: A60998FAE9: client=localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/cleanup[56249]: A60998FAE9: message-id=<DA037CCF-CC2E-4D59-B8F6-20BCBD55C644@testdomain.com>
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: disconnect from localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: from=<andrewgrant@testdomain.com>, size=6968, nrcpt=1 (queue active)
May 6 15:42:43 miniserve-rmd-1 postfix/smtp[56250]: 342418FAD8: to=<management.team@testdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.5, delays=0.01/0.01/0/4.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=55547-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A60998FAE9)
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: removed
May 6 15:42:43 miniserve-rmd-1 postfix/pipe[56259]: A60998FAE9: to=<andrewgrant@testdomain.com>, orig_to=<management.team@testdomain.com>, relay=dovecot, delay=0.04, delays=0/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: removed
Please see the configuration and postconf -n output and let me know what I have done wrong.
main.cf CONFIGURATION FILE:
queue_directory = /private/var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = _postfix
myhostname = mail.testdomain.com
mydomain = testdomain.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = _postdrop
html_directory = /usr/share/doc/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/examples
readme_directory = /usr/share/doc/postfix
dovecot_destination_recipient_limit = 1
mailbox_size_limit = 0
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
mydomain_fallback = localhost
message_size_limit = 0
biff = no
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241
smtpd_client_restrictions =
permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
permit
recipient_delimiter = +
virtual_alias_maps =
smtpd_pw_server_security_options = cram-md5,gssapi
enable_server_options = yes
smtpd_sasl_auth_enable = yes
smtpd_use_pw_server = yes
error_notice_recipient = postmaster
notify_classes = policy, protocol, resource, software
smtpd_restriction_classes = internal_domains, everyone_access, send_only, mgmt_access
internal_domains = check_recipient_access hash:/etc/postfix/internal_domains, reject
everyone_access = check_recipient_access hash:/etc/postfix/everyone_access, reject
send_only = check_recipient_access hash:/etc/postfix/send_only, reject
mgmt_access = check_recipient_access hash:/etc/postfix/mgmt_access, reject
smtpd_sender_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
check_recipient_access hash:/etc/postfix/restricted_recipients,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit
mailbox_transport = dovecot
inet_interfaces = all
smtpd_tls_cert_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_key_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
relayhost = msg.testdomain.com
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
header_checks = pcre:/etc/postfix/custom_header_checks
content_filter = smtp-amavis:[127.0.0.1]:10024
tls_random_source = dev:/dev/urandom
local_recipient_maps =
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
maps_rbl_domains =
postconf -n COMMAND OUTPUT:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
error_notice_recipient = postmaster
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = testdomain.com
mydomain_fallback = localhost
myhostname = mail.testdomain.com
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241
newaliases_path = /usr/bin/newaliases
notify_classes = policy, protocol, resource, software
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = msg.testdomain.com
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_pw_server_security_options = cram-md5,gssapi
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders, check_recipient_access hash:/etc/postfix/restricted_recipients, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_restriction_classes = internal_domains, everyone_access, send_only, mgmt_access
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
smtpd_tls_cert_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =