LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   How can I create a user account filter with postfix? (http://www.linuxquestions.org/questions/linux-software-2/how-can-i-create-a-user-account-filter-with-postfix-815429/)

3rods 06-21-2010 09:40 AM

How can I create a user account filter with postfix?
 
I am using this config.

I'm looking to create a white-list of email addresses that are allowed to send mail to my son's email address. Basically, I'm trying to do this:

if from not in ('dad@home.net','mom@home.net','unclebill@work.org')
then deliver to 'dad@home.net'

Or deliver to /dev/null or something.

This would be only for his account/domain, not server-wide.

The configuration above uses MySQL for forwarding and authentication. I'm not sure if that is a plus or minus for what I'm trying to do.

Any ideas would be appreciated; even if your a newb like me and have no idea what you're doing... :p

Berhanie 06-22-2010 08:04 PM

You can do something similar to this. You would put your son's email address in the protected_destinations file of the example, and the whitelisted addresses in insiders. Mail to your son's address would be rejected unless the sender is in the whitelist.

3rods 06-22-2010 11:33 PM

Forward
 
That looks pretty good. What would I do if I wanted to forward to another email instead of reject?

Add another option?

insiders_only = check_sender_access hash:/etc/postfix/insiders, forward_handler, reject

I know little about postfix, just guessing here.

Berhanie 06-23-2010 11:07 AM

You'd have to do something like this, which is incorrect, so read the entire post:
Code:

#/etc/postfix/insiders
#

dad@home.net        OK
mom@home.net        OK
unclebill@work.org  OK

# redirect to dad if sent from anyone else
*                    REDIRECT    dad@home.net

This is incorrect because you cannot have a catch-all in a hash table (someone
correct me if I'm wrong). But, you can do it using a pcre table, for example.

Code:

#/etc/postfix/insiders
#

# this is a pcre table. change the main.cf setting in the example to
# insiders_only = check_sender_access pcre:/etc/postfix/insiders, reject

/^dad@home.net$/        OK
/^mom@home.net$/        OK
/^unclebill@work.org$/  OK
/./                      REDIRECT    dad@home.net


3rods 06-23-2010 01:02 PM

Very awesome. Going to try this out now and let you know.

3rods 06-23-2010 03:40 PM

On the cusp of perfection here. It rejects emails instead of redirecting them. Not sure why. here is the file:

Code:

#/etc/postfix/insiders
#

# this is a pcre table. change the main.cf setting in the example to
# insiders_only = check_sender_access pcre:/etc/postfix/insiders, reject


/^user@domain.com$/    OK
/./                    REDIRECT user@domain2.com


Here is a bit of the log.


Code:

Jun 23 18:38:20 mail postfix/postfix-script[23222]: refreshing the Postfix mail system
Jun 23 18:38:20 mail postfix/master[14085]: reload -- version 2.7.0, configuration /etc/postfix
Jun 23 18:38:55 mail postfix/smtpd[23655]: connect from XXXXXXXXXXXXXXXXXXXX.net[76.XX.XX.XX]
Jun 23 18:38:55 mail postfix/smtpd[23655]: NOQUEUE: redirect: RCPT from XXXXXXXXXXXXXXXXXXXX.net[76.XX.XX.XX8]: <XXXX@domain1.net>: Sender address triggers REDIRECT user@domainredirect.com; from=<XXXX@domain1.net> to=<user@intendeduser.com> proto=ESMTP helo=<XXXXXXXXXXXXXX.net>
Jun 23 18:38:55 mail postfix/smtpd[23655]: NOQUEUE: reject: RCPT from XXXXXXXXXXXXXXXXXXXXXXXXXXX.net[76.XX.XX.XX]: 554 5.7.1 <user@intendeduser.com>: Recipient address rejected: Access denied; from=<XXXX@domain1.net> to=<user@intendeduser.com> proto=ESMTP helo=<XXXXXXXXXXXXXXXXXXXXXXXXXXXX.net>


3rods 06-23-2010 08:27 PM

Ok, if you remove the "reject" from this:
Code:

insiders_only = check_sender_access pcre:/etc/postfix/insiders, reject
And make it:

Code:

insiders_only = check_sender_access pcre:/etc/postfix/insiders
Messages get delivered to the redirect and not rejected. I'm guessing this is because we are actually never rejecting any messages and creating a catch all.

It also looks like you can explicitly imply a REJECT action within the file and still have the message trickle down to the catch all if it does not match the rule - which is good.

Thanks for your help!

Berhanie 06-23-2010 08:54 PM

that's correct. excellent work, 3rods.
but, not for the reason you gave. we are creating a catchall for the sender,
not for the recipients, and only when message are sent to a certain address.
for example, if you sent a message to nonexistent@home.net (assuming home.net
is local to the mail server), then mail would be rejected.

the reason is mentioned in the discussion here.
it means that a REDIRECT action does not stop the key lookup in the access list, which in our case, continues with the
reject rule.


All times are GMT -5. The time now is 12:26 PM.