smtp restriction in postfix
Hi All,
I need some advice on how I can restrict smtp(postfix). Here is the scenario: - currently we have 9 servers + 1 smtp. all servers are inside the firewall. 1. prod1.test.ph 2. prod2.test.ph .... .... .... 6. prod6.test.ph 7. nagios.test.ph 8. jira.test.ph 9. wiki.test.ph 10. smtp.test.ph My problem is how can I restrict: - if originator is prodx.test.ph uses smtp server, it can send to any recipient - if non-prodx server, only @sistercompany.com recipient will be sent; ignore none @sistercompany.com I tried looking on this solution http://www.postfix.org/RESTRICTION_CLASS_README.html , but don't know how to construct my class. I'm also confused on smtpd_recipient_restrictions and smtpd_sender_restrictions. Which is best solution will do on this problem? |
Heh, postfix can't easily do that, because none of the rules checking check the sending system as WELL as the destination..
Consider 1) using a global /etc/procmailrc recipe that figures out the sender, and recipient and send to /dev/null if it's from the wrong server NOT going to someone@sistercompany.com; see man procmailex, a recipe might look like: :0 * ^From.*@wiki.test.ph * ^To:.*@sistercompany.com { :0 c ! auditbox@test.ph :0 /dev/null } 2) determine (and rearchitect to fix) why you have unauthorized uncontrollable emails emerging from boxes which are not "prod" - might be easier to approach the problem that way HTH |
Quote:
There are several ways to accomplish what the OP desires. Here are two: 1) Configure your postfix server with a submission port (587) for your prodx.test.ph server, which allows sending to any recipients. And configure the MUAs on that server to submit via port 587. Configure your postfix server's standard port 25 smtpd with a check_recipient_access list which includes @sistercompany.com and rejects all other email. You should have firewall rules that prohibit the other systems from attempting their own outbound port 25 connections. 2) Use restriction classes. I've commented below: Code:
/etc/postfix/main.cf: Quote:
At each stage, the sending client sends information appropriate for that stage, and the mail server considers that information and responds. The various smtpd_XXX_checks consider that information, and act upon it. So, there is an smtpd_helo_restrictions which corresponds to the HELO stage. And smtpd_sender_restrictions corresponds to the MAIL FROM stage. Likewise smtpd_recipient_restrictions (RCPT TO) and smtpd_data_restrictions (DATA). There are some more too, but we can ignore those for now. There is additional information available to the Postfix smtpd mail server as well: the sending clients IP address, and it corresponds to smtpd_client_restrictions. All these restrictions allow Postfix to reject a message at any of the various stages in the SMTP conversation based upon what the client has passed, or other client-specific information (client hostname, reverse hostname, etc.). Many admins generally place most of their restrictions in the smtpd_recipient_restrictions because *more data is available* to Postfix for logging purposes and to make intelligent decisions about acceptance or rejection. Postfix by default does not respond with a reject at various stages of the SMTP conversation, and delays that response until the client has provided as much information as necessary. If you have a real interest in how to configure Postfix and in its operation, consider getting The Book of Postfix. |
Hey Mr. C thanks for the enlightening information !
|
All times are GMT -5. The time now is 09:54 AM. |