[SOLVED] Postfix smtpd_recipient_restrictions not working (postfix, amavis, SA, BSD)

andrewggrant · 05-06-2010, 06:05 PM

Hello,

I have been trying to configure smtpd_restriction_classes to limit access to my internal mailing lists (/etc/aliases). Unfortunately the email is still going through even though I thought I blocked all email to a specific alias via a class.

To hopefully clear up any confusion, I want to concentrate on one class only. That is the "mgmt_access" class. This is meant to stop all email going to the "management.team@testdomain.com" list unless it originates from one address, "notify@testdomain.com".

The two files that affect this are: restricted_recipients and mgmt_access. Those files look like this:

restricted_recipients:
management.team@testdomain.com mgmt_access

mgmt_access:
notify@testdomain.com OK

Unfortunately, all email sent to "management.team@testdomain.com" is currently allowed through.

The logs for an email sent to that account look like this:

May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: connect from andrew-grant.testdomain.com[10.1.2.166]
May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: 342418FAD8: client=andrew-grant.testdomain.com[10.1.2.166], sasl_method=CRAM-MD5, sasl_username=andrewgrant
May 6 15:42:39 miniserve-rmd-1 postfix/cleanup[56249]: 342418FAD8: message-id=<DA037CCF-CC2E-4D59-B8F6-20BCBD55C644@testdomain.com>
May 6 15:42:39 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: from=<andrewgrant@testdomain.com>, size=6283, nrcpt=1 (queue active)
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: connect from localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: A60998FAE9: client=localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/cleanup[56249]: A60998FAE9: message-id=<DA037CCF-CC2E-4D59-B8F6-20BCBD55C644@testdomain.com>
May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: disconnect from localhost[127.0.0.1]
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: from=<andrewgrant@testdomain.com>, size=6968, nrcpt=1 (queue active)
May 6 15:42:43 miniserve-rmd-1 postfix/smtp[56250]: 342418FAD8: to=<management.team@testdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.5, delays=0.01/0.01/0/4.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=55547-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A60998FAE9)
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: removed
May 6 15:42:43 miniserve-rmd-1 postfix/pipe[56259]: A60998FAE9: to=<andrewgrant@testdomain.com>, orig_to=<management.team@testdomain.com>, relay=dovecot, delay=0.04, delays=0/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: removed

Please see the configuration and postconf -n output and let me know what I have done wrong.

main.cf CONFIGURATION FILE:
queue_directory = /private/var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = _postfix
myhostname = mail.testdomain.com
mydomain = testdomain.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = _postdrop
html_directory = /usr/share/doc/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/examples
readme_directory = /usr/share/doc/postfix
dovecot_destination_recipient_limit = 1
mailbox_size_limit = 0
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
mydomain_fallback = localhost
message_size_limit = 0
biff = no
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241

smtpd_client_restrictions =
permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
permit

recipient_delimiter = +
virtual_alias_maps =
smtpd_pw_server_security_options = cram-md5,gssapi
enable_server_options = yes
smtpd_sasl_auth_enable = yes
smtpd_use_pw_server = yes
error_notice_recipient = postmaster
notify_classes = policy, protocol, resource, software

smtpd_restriction_classes = internal_domains, everyone_access, send_only, mgmt_access

internal_domains = check_recipient_access hash:/etc/postfix/internal_domains, reject
everyone_access = check_recipient_access hash:/etc/postfix/everyone_access, reject
send_only = check_recipient_access hash:/etc/postfix/send_only, reject
mgmt_access = check_recipient_access hash:/etc/postfix/mgmt_access, reject

smtpd_sender_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
check_recipient_access hash:/etc/postfix/restricted_recipients,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit

mailbox_transport = dovecot
inet_interfaces = all
smtpd_tls_cert_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_key_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
relayhost = msg.testdomain.com
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit

header_checks = pcre:/etc/postfix/custom_header_checks
content_filter = smtp-amavis:[127.0.0.1]:10024
tls_random_source = dev:/dev/urandom
local_recipient_maps =
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
maps_rbl_domains =

postconf -n COMMAND OUTPUT:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
error_notice_recipient = postmaster
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = testdomain.com
mydomain_fallback = localhost
myhostname = mail.testdomain.com
mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241
newaliases_path = /usr/bin/newaliases
notify_classes = policy, protocol, resource, software
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = msg.testdomain.com
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_pw_server_security_options = cram-md5,gssapi
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders, check_recipient_access hash:/etc/postfix/restricted_recipients, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_restriction_classes = internal_domains, everyone_access, send_only, mgmt_access
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem
smtpd_tls_cert_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =

andrewggrant · 05-10-2010, 02:28 PM

Solution:

It seems that I did not define "restricted_senders" and
"restricted_recipients" in my "smtpd_restriction_classes" line.

Once those two were added, and the "mgmt_access" was chnged to
"check_sender_access" everything worked just great.

viniciusbecker · 08-29-2012, 11:41 AM

Hi dude!
Sorry to reply to this old post, but i'm facing the same problem and i didn't how do you solved the problem... Can you please copy the configuration exactly how it should to be?

Here it is my "main.cf" file:

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
fast_flush_refresh_time = 10m
home_mailbox = Maildir/
html_directory = no
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 204800000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/man
message_size_limit = 204800000
mydestination = $myhostname, localhost.$mydomain, localhost, test.com.br
mydomain = test.com.br
myhostname = mail.test.com.br
mynetworks = 10.1.2.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_minfree = 52428800
readme_directory = no
sample_directory = /etc/postfix
sender_bcc_maps = hash:/etc/postfix/sender_bcc
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks,  permit_sasl_authenticated,  check_recipient_access hash:/etc/postfix/access,  check_client_access hash:/etc/postfix/access,  reject_unknown_client_hostname,  reject_unknown_reverse_client_hostname,  sleep 1,  reject_unauth_pipelining
smtpd_data_restrictions = permit_mynetworks,  check_client_access hash:/etc/postfix/access,  reject_unauth_pipelining,  reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_restrictions = permit_mynetworks,  permit_sasl_authenticated,  check_recipient_access hash:/etc/postfix/access,  check_client_access hash:/etc/postfix/access,  check_helo_access hash:/etc/postfix/access,  reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,  check_sender_access = hash:/etc/postfix/restricted_senders,  reject_unauth_destination,  reject_unlisted_recipient,  reject_unknown_recipient_domain,  reject_rbl_client zen.spamhaus.org,  reject_rbl_client bl.spamcop.net,  check_policy_service unix:private/policy-meta
smtpd_reject_unlisted_sender = yes
smtpd_restriction_classes = local_only
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/access,  check_client_access hash:/etc/postfix/access,  check_sender_access hash:/etc/postfix/access,  reject_unknown_sender_domain,  reject_non_fqdn_sender,  reject_unlisted_sender,  permit_mynetworks,  permit_sasl_authenticated,  reject_sender_login_mismatch,  warn_if_reject
unknown_local_recipient_reject_code = 550