LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-12-2008, 10:32 PM   #1
janskey
LQ Newbie
 
Registered: Apr 2006
Posts: 6

Rep: Reputation: 0
smtp restriction in postfix


Hi All,

I need some advice on how I can restrict smtp(postfix). Here is the scenario:
- currently we have 9 servers + 1 smtp. all servers are inside the firewall.
 1. prod1.test.ph
 2. prod2.test.ph
....
....
....
 6. prod6.test.ph
 7. nagios.test.ph
 8. jira.test.ph
 9. wiki.test.ph
 10. smtp.test.ph

My problem is how can I restrict:
-  if originator is prodx.test.ph uses smtp server, it can send to any recipient
-  if non-prodx server, only @sistercompany.com recipient will be sent; ignore none @sistercompany.com

I tried looking on this solution
http://www.postfix.org/RESTRICTION_CLASS_README.html , but don't know how to construct my class. I'm also confused on
smtpd_recipient_restrictions and smtpd_sender_restrictions. Which is best solution will do on this problem?
 
Old 06-18-2008, 12:06 AM   #2
d3ckard
LQ Newbie
 
Registered: May 2007
Posts: 13

Rep: Reputation: 0
Heh, postfix can't easily do that, because none of the rules checking check the sending system as WELL as the destination..

Consider

1) using a global /etc/procmailrc recipe that figures out the sender, and recipient and send to /dev/null if it's from the wrong server NOT going to someone@sistercompany.com; see man procmailex, a recipe might look like:

:0
* ^From.*@wiki.test.ph
* ^To:.*@sistercompany.com
{
:0 c
! auditbox@test.ph

:0
/dev/null
}


2) determine (and rearchitect to fix) why you have unauthorized uncontrollable emails emerging from boxes which are not "prod" - might be easier to approach the problem that way


HTH
 
Old 06-19-2008, 01:10 AM   #3
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quote:
Originally Posted by d3ckard
Heh, postfix can't easily do that, because none of the rules checking check the sending system as WELL as the destination..
This isn't correct. This is what restriction classes is all about. The various smtpd_mumble_restrictions allow all sorts of combinations.

There are several ways to accomplish what the OP desires. Here are two:

1) Configure your postfix server with a submission port (587) for your prodx.test.ph server, which allows sending to any recipients. And configure the MUAs on that server to submit via port 587.

Configure your postfix server's standard port 25 smtpd with a check_recipient_access list which includes @sistercompany.com and rejects all other email.

You should have firewall rules that prohibit the other systems from attempting their own outbound port 25 connections.

2) Use restriction classes. I've commented below:
Code:
/etc/postfix/main.cf:
        # test our client IP with check_client_access.
	smtpd_recipient_restrictions =
		check_client_access hash:/etc/postfix/restricted_clients
		...other stuff...

        # declare a restrictive restriction class
	smtpd_restriction_classes = restrictive

        # define the class.  It will perform a check_recipient_access check, 
        # using the file restricted_domains.  If a match is found, it will return
        # OK; otherwise, fall through to the reject rule.
	restrictive = 
		check_recipient_access hash:/etc/postfix/restricted_domains
		reject

/etc/postfix/restricted_clients:

	# Our client IP access file.  If any IP matches the list
	# (replace non-prodx-IPx with the IP addressses of your
	# restricted clients), return "restricted".  This value has
	# already been declared in main.cf to be another access lookup,
	# so Postfix will then perform the access checks defined in
	# the "restrictive" class.

	non-prodx-IP1      restrictive
	non-prodx-IP2      restrictive
	...

/etc/postfix/restricted_domains:
	# This is the list of domains we will allow sending to from our
	# restricted clients.  If the recipient envelope contains any
	# domain listed below, the mail will be allowed.
	sistercompany.com     OK
	...

Quote:
Originally Posted by janskey
I'm also confused on
smtpd_recipient_restrictions and smtpd_sender_restrictions. Which is best solution will do on this problem?
In order to understand the smtpd_XXX_restrictions, you need to keep in mind the stages in the SMTP protocol. The basic conversation goes like this:
  1. HELO
  2. MAIL FROM
  3. RCPT TO
  4. DATA
  5. QUIT

At each stage, the sending client sends information appropriate for that stage, and the mail server considers that information and responds. The various smtpd_XXX_checks consider that information, and act upon it. So, there is an smtpd_helo_restrictions which corresponds to the HELO stage. And smtpd_sender_restrictions corresponds to the MAIL FROM stage. Likewise smtpd_recipient_restrictions (RCPT TO) and smtpd_data_restrictions (DATA). There are some more too, but we can ignore those for now.

There is additional information available to the Postfix smtpd mail server as well: the sending clients IP address, and it corresponds to smtpd_client_restrictions.

All these restrictions allow Postfix to reject a message at any of the various stages in the SMTP conversation based upon what the client has passed, or other client-specific information (client hostname, reverse hostname, etc.).

Many admins generally place most of their restrictions in the smtpd_recipient_restrictions because *more data is available* to Postfix for logging purposes and to make intelligent decisions about acceptance or rejection. Postfix by default does not respond with a reject at various stages of the SMTP conversation, and delays that response until the client has provided as much information as necessary.

If you have a real interest in how to configure Postfix and in its operation, consider getting The Book of Postfix.
 
Old 06-20-2008, 12:23 AM   #4
d3ckard
LQ Newbie
 
Registered: May 2007
Posts: 13

Rep: Reputation: 0
Hey Mr. C thanks for the enlightening information !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mail smtp restriction hua Linux - Enterprise 2 11-11-2006 02:35 PM
Postfix, relay sender restriction barghota Linux - Software 1 09-13-2006 03:24 PM
SMTP with POSTFIX shipon_97 Linux - Newbie 2 05-02-2006 04:33 PM
postfix smtp bas_vdl Linux - Networking 0 10-19-2003 05:24 PM
Postfix - Only SMTP? Thinkgeekness Linux - Software 12 03-11-2003 04:39 PM


All times are GMT -5. The time now is 12:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration