LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   smtp restriction in postfix (https://www.linuxquestions.org/questions/linux-software-2/smtp-restriction-in-postfix-648956/)

janskey 06-12-2008 09:32 PM
smtp restriction in postfix
 
Hi All,

I need some advice on how I can restrict smtp(postfix). Here is the scenario:
- currently we have 9 servers + 1 smtp. all servers are inside the firewall.
 1. prod1.test.ph
 2. prod2.test.ph
....
....
....
 6. prod6.test.ph
 7. nagios.test.ph
 8. jira.test.ph
 9. wiki.test.ph
 10. smtp.test.ph

My problem is how can I restrict:
-  if originator is prodx.test.ph uses smtp server, it can send to any recipient
-  if non-prodx server, only @sistercompany.com recipient will be sent; ignore none @sistercompany.com

I tried looking on this solution
http://www.postfix.org/RESTRICTION_CLASS_README.html , but don't know how to construct my class. I'm also confused on
smtpd_recipient_restrictions and smtpd_sender_restrictions. Which is best solution will do on this problem?

d3ckard 06-17-2008 11:06 PM
Heh, postfix can't easily do that, because none of the rules checking check the sending system as WELL as the destination..

Consider

1) using a global /etc/procmailrc recipe that figures out the sender, and recipient and send to /dev/null if it's from the wrong server NOT going to someone@sistercompany.com; see man procmailex, a recipe might look like:

:0
* ^From.*@wiki.test.ph
* ^To:.*@sistercompany.com
{
:0 c
! auditbox@test.ph

:0
/dev/null
}


2) determine (and rearchitect to fix) why you have unauthorized uncontrollable emails emerging from boxes which are not "prod" - might be easier to approach the problem that way


HTH

Mr. C. 06-19-2008 12:10 AM
Quote:
Originally Posted by d3ckard
Heh, postfix can't easily do that, because none of the rules checking check the sending system as WELL as the destination..
This isn't correct. This is what restriction classes is all about. The various smtpd_mumble_restrictions allow all sorts of combinations.

There are several ways to accomplish what the OP desires. Here are two:

1) Configure your postfix server with a submission port (587) for your prodx.test.ph server, which allows sending to any recipients. And configure the MUAs on that server to submit via port 587.

Configure your postfix server's standard port 25 smtpd with a check_recipient_access list which includes @sistercompany.com and rejects all other email.

You should have firewall rules that prohibit the other systems from attempting their own outbound port 25 connections.

2) Use restriction classes. I've commented below:
Code:
/etc/postfix/main.cf:
        # test our client IP with check_client_access.
        smtpd_recipient_restrictions =
                check_client_access hash:/etc/postfix/restricted_clients
                ...other stuff...

        # declare a restrictive restriction class
        smtpd_restriction_classes = restrictive

        # define the class.  It will perform a check_recipient_access check,
        # using the file restricted_domains.  If a match is found, it will return
        # OK; otherwise, fall through to the reject rule.
        restrictive =
                check_recipient_access hash:/etc/postfix/restricted_domains
                reject

/etc/postfix/restricted_clients:

        # Our client IP access file.  If any IP matches the list
        # (replace non-prodx-IPx with the IP addressses of your
        # restricted clients), return "restricted".  This value has
        # already been declared in main.cf to be another access lookup,
        # so Postfix will then perform the access checks defined in
        # the "restrictive" class.

        non-prodx-IP1      restrictive
        non-prodx-IP2      restrictive
        ...

/etc/postfix/restricted_domains:
        # This is the list of domains we will allow sending to from our
        # restricted clients.  If the recipient envelope contains any
        # domain listed below, the mail will be allowed.
        sistercompany.com    OK
        ...

Quote:
Originally Posted by janskey
I'm also confused on
smtpd_recipient_restrictions and smtpd_sender_restrictions. Which is best solution will do on this problem?
In order to understand the smtpd_XXX_restrictions, you need to keep in mind the stages in the SMTP protocol. The basic conversation goes like this:
  1. HELO
  2. MAIL FROM
  3. RCPT TO
  4. DATA
  5. QUIT

At each stage, the sending client sends information appropriate for that stage, and the mail server considers that information and responds. The various smtpd_XXX_checks consider that information, and act upon it. So, there is an smtpd_helo_restrictions which corresponds to the HELO stage. And smtpd_sender_restrictions corresponds to the MAIL FROM stage. Likewise smtpd_recipient_restrictions (RCPT TO) and smtpd_data_restrictions (DATA). There are some more too, but we can ignore those for now.

There is additional information available to the Postfix smtpd mail server as well: the sending clients IP address, and it corresponds to smtpd_client_restrictions.

All these restrictions allow Postfix to reject a message at any of the various stages in the SMTP conversation based upon what the client has passed, or other client-specific information (client hostname, reverse hostname, etc.).

Many admins generally place most of their restrictions in the smtpd_recipient_restrictions because *more data is available* to Postfix for logging purposes and to make intelligent decisions about acceptance or rejection. Postfix by default does not respond with a reject at various stages of the SMTP conversation, and delays that response until the client has provided as much information as necessary.

If you have a real interest in how to configure Postfix and in its operation, consider getting The Book of Postfix.

d3ckard 06-19-2008 11:23 PM
Hey Mr. C thanks for the enlightening information !


All times are GMT -5. The time now is 09:54 AM.