LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices



Reply
 
Search this Thread
Old 05-06-2010, 07:05 PM   #1
andrewggrant
LQ Newbie
 
Registered: May 2010
Posts: 9

Rep: Reputation: 0
Postfix smtpd_recipient_restrictions not working (postfix, amavis, SA, BSD)


Hello,

I have been trying to configure smtpd_restriction_classes to limit access to my internal mailing lists (/etc/aliases). Unfortunately the email is still going through even though I thought I blocked all email to a specific alias via a class.

To hopefully clear up any confusion, I want to concentrate on one class only. That is the "mgmt_access" class. This is meant to stop all email going to the "management.team@testdomain.com" list unless it originates from one address, "notify@testdomain.com".

The two files that affect this are: restricted_recipients and mgmt_access. Those files look like this:

restricted_recipients:
management.team@testdomain.com mgmt_access

mgmt_access:
notify@testdomain.com OK

Unfortunately, all email sent to "management.team@testdomain.com" is currently allowed through.

The logs for an email sent to that account look like this:

May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: connect from andrew-grant.testdomain.com[10.1.2.166]
May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: 342418FAD8: client=andrew-grant.testdomain.com[10.1.2.166], sasl_method=CRAM-MD5, sasl_username=andrewgrant
May 6 15:42:39 miniserve-rmd-1 postfix/cleanup[56249]: 342418FAD8: message-id=<DA037CCF-CC2E-4D59-B8F6-20BCBD55C644@testdomain.com>
May 6 15:42:39 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: from=<andrewgrant@testdomain.com>, size=6283, nrcpt=1 (queue active)
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: connect from localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: A60998FAE9: client=localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/cleanup[56249]: A60998FAE9: message-id=<DA037CCF-CC2E-4D59-B8F6-20BCBD55C644@testdomain.com>
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: disconnect from localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: from=<andrewgrant@testdomain.com>, size=6968, nrcpt=1 (queue active)
May 6 15:42:43 miniserve-rmd-1 postfix/smtp[56250]: 342418FAD8: to=<management.team@testdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.5, delays=0.01/0.01/0/4.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=55547-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A60998FAE9)
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: removed
May 6 15:42:43 miniserve-rmd-1 postfix/pipe[56259]: A60998FAE9: to=<andrewgrant@testdomain.com>, orig_to=<management.team@testdomain.com>, relay=dovecot, delay=0.04, delays=0/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: removed

Please see the configuration and postconf -n output and let me know what I have done wrong.

main.cf CONFIGURATION FILE:
queue_directory = /private/var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = _postfix
myhostname = mail.testdomain.com
mydomain = testdomain.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = _postdrop
html_directory = /usr/share/doc/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/examples
readme_directory = /usr/share/doc/postfix
dovecot_destination_recipient_limit = 1
mailbox_size_limit = 0
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
mydomain_fallback = localhost
message_size_limit = 0
biff = no
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241

smtpd_client_restrictions =
permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
permit

recipient_delimiter = +
virtual_alias_maps =
smtpd_pw_server_security_options = cram-md5,gssapi
enable_server_options = yes
smtpd_sasl_auth_enable = yes
smtpd_use_pw_server = yes
error_notice_recipient = postmaster
notify_classes = policy, protocol, resource, software

smtpd_restriction_classes = internal_domains, everyone_access, send_only, mgmt_access

internal_domains = check_recipient_access hash:/etc/postfix/internal_domains, reject
everyone_access = check_recipient_access hash:/etc/postfix/everyone_access, reject
send_only = check_recipient_access hash:/etc/postfix/send_only, reject
mgmt_access = check_recipient_access hash:/etc/postfix/mgmt_access, reject

smtpd_sender_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
check_recipient_access hash:/etc/postfix/restricted_recipients,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit

mailbox_transport = dovecot
inet_interfaces = all
smtpd_tls_cert_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_key_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
relayhost = msg.testdomain.com
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit

header_checks = pcre:/etc/postfix/custom_header_checks
content_filter = smtp-amavis:[127.0.0.1]:10024
tls_random_source = dev:/dev/urandom
local_recipient_maps =
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
maps_rbl_domains =


postconf -n COMMAND OUTPUT:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
error_notice_recipient = postmaster
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = testdomain.com
mydomain_fallback = localhost
myhostname = mail.testdomain.com
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241
newaliases_path = /usr/bin/newaliases
notify_classes = policy, protocol, resource, software
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = msg.testdomain.com
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_pw_server_security_options = cram-md5,gssapi
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders, check_recipient_access hash:/etc/postfix/restricted_recipients, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_restriction_classes = internal_domains, everyone_access, send_only, mgmt_access
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
smtpd_tls_cert_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
 
Old 05-10-2010, 03:28 PM   #2
andrewggrant
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Solution:

It seems that I did not define "restricted_senders" and
"restricted_recipients" in my "smtpd_restriction_classes" line.

Once those two were added, and the "mgmt_access" was chnged to
"check_sender_access" everything worked just great.
 
Old 08-29-2012, 12:41 PM   #3
viniciusbecker
LQ Newbie
 
Registered: Aug 2012
Posts: 1

Rep: Reputation: Disabled
Hi dude!
Sorry to reply to this old post, but i'm facing the same problem and i didn't how do you solved the problem... Can you please copy the configuration exactly how it should to be?

Here it is my "main.cf" file:

Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
fast_flush_refresh_time = 10m
home_mailbox = Maildir/
html_directory = no
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 204800000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/man
message_size_limit = 204800000
mydestination = $myhostname, localhost.$mydomain, localhost, test.com.br
mydomain = test.com.br
myhostname = mail.test.com.br
mynetworks = 10.1.2.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_minfree = 52428800
readme_directory = no
sample_directory = /etc/postfix
sender_bcc_maps = hash:/etc/postfix/sender_bcc
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks,  permit_sasl_authenticated,  check_recipient_access hash:/etc/postfix/access,  check_client_access hash:/etc/postfix/access,  reject_unknown_client_hostname,  reject_unknown_reverse_client_hostname,  sleep 1,  reject_unauth_pipelining
smtpd_data_restrictions = permit_mynetworks,  check_client_access hash:/etc/postfix/access,  reject_unauth_pipelining,  reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_restrictions = permit_mynetworks,  permit_sasl_authenticated,  check_recipient_access hash:/etc/postfix/access,  check_client_access hash:/etc/postfix/access,  check_helo_access hash:/etc/postfix/access,  reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,  check_sender_access = hash:/etc/postfix/restricted_senders,  reject_unauth_destination,  reject_unlisted_recipient,  reject_unknown_recipient_domain,  reject_rbl_client zen.spamhaus.org,  reject_rbl_client bl.spamcop.net,  check_policy_service unix:private/policy-meta
smtpd_reject_unlisted_sender = yes
smtpd_restriction_classes = local_only
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/access,  check_client_access hash:/etc/postfix/access,  check_sender_access hash:/etc/postfix/access,  reject_unknown_sender_domain,  reject_non_fqdn_sender,  reject_unlisted_sender,  permit_mynetworks,  permit_sasl_authenticated,  reject_sender_login_mismatch,  warn_if_reject
unknown_local_recipient_reject_code = 550
 
  


Reply

Tags
classes, postfix, recipient, restrictions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Amavis Block Postfix (Help Please) k_oudom Linux - Networking 1 04-28-2010 02:43 AM
postfix - smtpd_recipient_restrictions & invalid sender domain compused Linux - Newbie 2 04-17-2010 08:34 AM
Postfix Configuration: smtpd_recipient_restrictions parameter sanity check Ghostwheel Linux - Server 1 08-01-2008 01:07 PM
help with postfix smtpd_recipient_restrictions JustinHoMi Linux - Server 6 08-08-2007 12:58 AM
amavis with postfix egyptian Linux - Security 1 10-14-2004 11:08 AM


All times are GMT -5. The time now is 04:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration