LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-01-2013, 03:44 AM   #1
blaszta
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Rep: Reputation: 0
Question Postfix: Restricting what users can send mail to off-site destinations


I need to restrict domain that user can send email to, so I'm following this manual: http://www.postfix.org/RESTRICTION_CLASS_README.html

Code:
/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        ...
        check_sender_access hash:/etc/postfix/restricted_senders
        ...other stuff...

    smtpd_restriction_classes = local_only
    local_only = 
        check_recipient_access hash:/etc/postfix/local_domains, reject

/etc/postfix/restricted_senders:
    user1@mydomain.net      local_only
    user2@mydomain.net      local_only

/etc/postfix/local_domains:
    mydomain.net     OK      
    myotherdomain.net     OK
I did the tutorial, run both command:
Code:
postmap /etc/postfix/restricted_senders
postmap /etc/postfix/local_domains
restart the postfix service

Using this setting user1@mydomain.net should NOT able to send email to any email address except mydomain.net and myotherdomain.net (correct me if I'm wrong).

I setup user1@mydomain.net in an email client (Outlook) and test it to send email to @yahoo.com and the email goes through.
What I'm I doing wrong here?
 
Old 02-01-2013, 02:54 PM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,696

Rep: Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261
Not necessarily anything. Outlook (so I thought) uses the destination mail address to connect to the receiving system directly. The client application has to be configured specifically to get it to use your mail server as a relay, and anytime a user objects, I think they can change it themselves. There might be a group policy on it though, but I don't use outlook or even Windows...
 
Old 02-02-2013, 05:02 AM   #3
blaszta
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
I already set the POP3 & SMTP setting in Outlook to the MTA IP address, so the issue should be in the server, not in the client. The mail sent properly (so it use the MTA) it just the postfix restriction doesn't applied.
 
Old 02-02-2013, 05:48 AM   #4
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,479

Rep: Reputation: 388Reputation: 388Reputation: 388Reputation: 388
Does the SMTP sender match the listing in /etc/postfix/restricted_senders?

Are they explicitly allowed by an earlier rule?
Or with 'smtpd_delay_reject = yes' are they allowed by a later rule?
 
1 members found this post helpful.
Old 02-03-2013, 09:25 PM   #5
blaszta
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Hmm interesting, I don't have smtpd_delay_reject setting in main.cf, but from the manual it says smtpd_delay_reject (default: yes). Anyway, I explicitly put 'smtpd_delay_reject = yes' in main.cf and the result is different now.

I'm testing sending email from user1@mydomain.net to @yahoo.com, @gmail.com and @outlook.com and none received the email (yet). Here's the log in the server for the last one (to @outlook.com):

Code:
Feb 4 10:07:22 system pop3[11829]: login: [192.168.0.90] user1 plaintext User logged in
Feb 4 10:07:22 system pop3[11829]: login: [192.168.0.90] test plaintext User logged in
Feb 4 10:07:11 system postfix/qmgr[11140]: 64C3680C44: removed
Feb 4 10:07:11 system postfix/smtp[11822]: 64C3680C44: to=, relay=mx1.hotmail.com[65.55.92.184]:25, delay=2.5, delays=0.06/0.01/1/1.4, dsn=2.0.0, status=sent (250 <004801ce0284$b861aa30$2924fe90$@mydomain.net> Queued mail for delivery)
Feb 4 10:07:11 system postfix/smtpd[11814]: disconnect from unknown[192.168.0.90]
Feb 4 10:07:09 system postfix/qmgr[11140]: 3627E80C3F: removed
Feb 4 10:07:09 system postfix/pipe[11818]: 3627E80C3F: to=, relay=mailprefilter, delay=0.28, delays=0.15/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via mailprefilter service)
Feb 4 10:07:09 system postfix/smtpd[11820]: disconnect from localhost.localdomain[127.0.0.1]
Feb 4 10:07:09 system postfix/qmgr[11140]: 64C3680C44: from=, size=2895, nrcpt=1 (queue active)
Feb 4 10:07:09 system postfix/cleanup[11821]: 64C3680C44: message-id=<004801ce0284$b861aa30$2924fe90$@mydomain.net>
Feb 4 10:07:09 system postfix/smtpd[11820]: 64C3680C44: client=localhost.localdomain[127.0.0.1]
Feb 4 10:07:09 system postfix/smtpd[11820]: connect from localhost.localdomain[127.0.0.1]
Feb 4 10:07:09 system postfix/qmgr[11140]: 3627E80C3F: from=, size=2714, nrcpt=1 (queue active)
Feb 4 10:07:09 system postfix/cleanup[11817]: 3627E80C3F: message-id=<004801ce0284$b861aa30$2924fe90$@mydomain.net>
Feb 4 10:07:09 system postfix/smtpd[11814]: 3627E80C3F: client=unknown[192.168.0.90], sasl_method=LOGIN, sasl_username=user1@mydomain.net
Feb 4 10:07:09 system postfix/smtpd[11814]: connect from unknown[192.168.0.90]
Feb 4 10:05:42 system fetchmail[1335]: sleeping at Mon 04 Feb 2013 10:05:42 AM WIT for 300 seconds
Feb 4 10:05:40 system fetchmail[1335]: Server certificate verification error: self signed certificate
Feb 4 10:05:39 system fetchmail[1335]: awakened at Mon 04 Feb 2013 10:05:39 AM WIT
Feb 4 10:05:02 system imap[10443]: login: localhost.localdomain [127.0.0.1] email-archive PLAIN User logged in
Feb 4 10:03:08 system postfix/qmgr[11140]: 6489680C44: removed
Feb 4 10:03:08 system postfix/smtp[11528]: 6489680C44: to=, relay=aspmx.l.google.com[74.125.25.27]:25, delay=3.4, delays=0.04/0.01/1.6/1.8, dsn=2.0.0, status=sent (250 2.0.0 OK 1359946989 p10si12995839pay.148 - gsmtp)
Feb 4 10:03:07 system postfix/smtpd[11419]: disconnect from unknown[192.168.0.90]
Feb 4 10:03:05 system postfix/smtpd[11426]: disconnect from localhost.localdomain[127.0.0.1]
Feb 4 10:03:05 system postfix/qmgr[11140]: 3E56F80C3F: removed
Feb 4 10:03:05 system postfix/pipe[11424]: 3E56F80C3F: to=, relay=mailprefilter, delay=0.25, delays=0.15/0/0/0.1, dsn=2.0.0, status=sent (delivered via mailprefilter service)
Feb 4 10:03:05 system postfix/qmgr[11140]: 6489680C44: from=, size=2889, nrcpt=1 (queue active)
Feb 4 10:03:05 system postfix/cleanup[11427]: 6489680C44: message-id=<004301ce0284$26f8c7e0$74ea57a0$@mydomain.net>
Feb 4 10:03:05 system postfix/smtpd[11426]: 6489680C44: client=localhost.localdomain[127.0.0.1]
Feb 4 10:03:05 system postfix/smtpd[11426]: connect from localhost.localdomain[127.0.0.1]
Feb 4 10:03:05 system postfix/qmgr[11140]: 3E56F80C3F: from=, size=2710, nrcpt=1 (queue active)
Feb 4 10:03:05 system postfix/cleanup[11423]: 3E56F80C3F: message-id=<004301ce0284$26f8c7e0$74ea57a0$@mydomain.net>
Feb 4 10:03:05 system postfix/smtpd[11419]: 3E56F80C3F: client=unknown[192.168.0.90], sasl_method=LOGIN, sasl_username=user1@mydomain.net
Feb 4 10:03:05 system postfix/smtpd[11419]: connect from unknown[192.168.0.90]
I didn't receive any error message in the log file. It should throw out: 554 <user@remote>: Access denied, right?
 
Old 02-04-2013, 12:19 AM   #6
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,479

Rep: Reputation: 388Reputation: 388Reputation: 388Reputation: 388
If it is working properly I would expect the client to get rejected during the SMTP session.
You should turn on debug logging and follow each mail through the process.
 
1 members found this post helpful.
Old 02-11-2013, 09:55 PM   #7
blaszta
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Talking Solved!

Got busy with something else, never had chance to post here. Thanks a lot descendant_command for the help, you're right by asking 'Are they explicitly allowed by an earlier rule?'

Here are the rule in smtpd_recipient_restrictions:
Code:
smtpd_recipient_restrictions = 
permit_sasl_authenticated, 
permit_mynetworks, 
reject_unauth_destination,
check_sender_access hash:/etc/postfix/restricted_senders
I change the order to:
Code:
smtpd_recipient_restrictions = 
check_sender_access hash:/etc/postfix/restricted_senders, 
permit_sasl_authenticated, 
permit_mynetworks, 
reject_unauth_destination
It works now, the server give nasty Undeliverable error message to user if they try to send email outside of local_domains

Last edited by blaszta; 02-11-2013 at 09:59 PM. Reason: fix typo
 
Old 02-12-2013, 12:00 AM   #8
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,479

Rep: Reputation: 388Reputation: 388Reputation: 388Reputation: 388
Nice, thanks for posting back your solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix cannot send mail to users in the same machine mlandvo Linux - Server 5 06-24-2010 03:52 AM
[SOLVED] Restricting some users send mail to off-site destinations in sendmail mail4vijay Linux - Server 2 10-23-2009 03:20 AM
Only allow certain users to send mail to a particular mail id - POSTFIX rahmathullakm Linux - Server 0 02-14-2009 12:28 PM
Postfix - allowing only certain users to send mail to a mail ID rahmathullakm Linux - Server 3 02-07-2009 11:05 AM
Postfix: Do not allow local users to send mail Termina Linux - Server 1 03-22-2007 05:15 PM


All times are GMT -5. The time now is 12:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration