LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Postfix: Restricting what users can send mail to off-site destinations (https://www.linuxquestions.org/questions/linux-newbie-8/postfix-restricting-what-users-can-send-mail-to-off-site-destinations-4175448123/)

blaszta 02-01-2013 03:44 AM
Postfix: Restricting what users can send mail to off-site destinations
 
I need to restrict domain that user can send email to, so I'm following this manual: http://www.postfix.org/RESTRICTION_CLASS_README.html

Code:
/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        ...
        check_sender_access hash:/etc/postfix/restricted_senders
        ...other stuff...

    smtpd_restriction_classes = local_only
    local_only =
        check_recipient_access hash:/etc/postfix/local_domains, reject

/etc/postfix/restricted_senders:
    user1@mydomain.net      local_only
    user2@mydomain.net      local_only

/etc/postfix/local_domains:
    mydomain.net    OK     
    myotherdomain.net    OK
I did the tutorial, run both command:
Code:
postmap /etc/postfix/restricted_senders
postmap /etc/postfix/local_domains
restart the postfix service

Using this setting user1@mydomain.net should NOT able to send email to any email address except mydomain.net and myotherdomain.net (correct me if I'm wrong).

I setup user1@mydomain.net in an email client (Outlook) and test it to send email to @yahoo.com and the email goes through.
What I'm I doing wrong here?

jpollard 02-01-2013 02:54 PM
Not necessarily anything. Outlook (so I thought) uses the destination mail address to connect to the receiving system directly. The client application has to be configured specifically to get it to use your mail server as a relay, and anytime a user objects, I think they can change it themselves. There might be a group policy on it though, but I don't use outlook or even Windows...

blaszta 02-02-2013 05:02 AM
I already set the POP3 & SMTP setting in Outlook to the MTA IP address, so the issue should be in the server, not in the client. The mail sent properly (so it use the MTA) it just the postfix restriction doesn't applied.

descendant_command 02-02-2013 05:48 AM
Does the SMTP sender match the listing in /etc/postfix/restricted_senders?

Are they explicitly allowed by an earlier rule?
Or with 'smtpd_delay_reject = yes' are they allowed by a later rule?

blaszta 02-03-2013 09:25 PM
Hmm interesting, I don't have smtpd_delay_reject setting in main.cf, but from the manual it says smtpd_delay_reject (default: yes). Anyway, I explicitly put 'smtpd_delay_reject = yes' in main.cf and the result is different now.

I'm testing sending email from user1@mydomain.net to @yahoo.com, @gmail.com and @outlook.com and none received the email (yet). Here's the log in the server for the last one (to @outlook.com):

Code:
Feb 4 10:07:22 system pop3[11829]: login: [192.168.0.90] user1 plaintext User logged in
Feb 4 10:07:22 system pop3[11829]: login: [192.168.0.90] test plaintext User logged in
Feb 4 10:07:11 system postfix/qmgr[11140]: 64C3680C44: removed
Feb 4 10:07:11 system postfix/smtp[11822]: 64C3680C44: to=, relay=mx1.hotmail.com[65.55.92.184]:25, delay=2.5, delays=0.06/0.01/1/1.4, dsn=2.0.0, status=sent (250 <004801ce0284$b861aa30$2924fe90$@mydomain.net> Queued mail for delivery)
Feb 4 10:07:11 system postfix/smtpd[11814]: disconnect from unknown[192.168.0.90]
Feb 4 10:07:09 system postfix/qmgr[11140]: 3627E80C3F: removed
Feb 4 10:07:09 system postfix/pipe[11818]: 3627E80C3F: to=, relay=mailprefilter, delay=0.28, delays=0.15/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via mailprefilter service)
Feb 4 10:07:09 system postfix/smtpd[11820]: disconnect from localhost.localdomain[127.0.0.1]
Feb 4 10:07:09 system postfix/qmgr[11140]: 64C3680C44: from=, size=2895, nrcpt=1 (queue active)
Feb 4 10:07:09 system postfix/cleanup[11821]: 64C3680C44: message-id=<004801ce0284$b861aa30$2924fe90$@mydomain.net>
Feb 4 10:07:09 system postfix/smtpd[11820]: 64C3680C44: client=localhost.localdomain[127.0.0.1]
Feb 4 10:07:09 system postfix/smtpd[11820]: connect from localhost.localdomain[127.0.0.1]
Feb 4 10:07:09 system postfix/qmgr[11140]: 3627E80C3F: from=, size=2714, nrcpt=1 (queue active)
Feb 4 10:07:09 system postfix/cleanup[11817]: 3627E80C3F: message-id=<004801ce0284$b861aa30$2924fe90$@mydomain.net>
Feb 4 10:07:09 system postfix/smtpd[11814]: 3627E80C3F: client=unknown[192.168.0.90], sasl_method=LOGIN, sasl_username=user1@mydomain.net
Feb 4 10:07:09 system postfix/smtpd[11814]: connect from unknown[192.168.0.90]
Feb 4 10:05:42 system fetchmail[1335]: sleeping at Mon 04 Feb 2013 10:05:42 AM WIT for 300 seconds
Feb 4 10:05:40 system fetchmail[1335]: Server certificate verification error: self signed certificate
Feb 4 10:05:39 system fetchmail[1335]: awakened at Mon 04 Feb 2013 10:05:39 AM WIT
Feb 4 10:05:02 system imap[10443]: login: localhost.localdomain [127.0.0.1] email-archive PLAIN User logged in
Feb 4 10:03:08 system postfix/qmgr[11140]: 6489680C44: removed
Feb 4 10:03:08 system postfix/smtp[11528]: 6489680C44: to=, relay=aspmx.l.google.com[74.125.25.27]:25, delay=3.4, delays=0.04/0.01/1.6/1.8, dsn=2.0.0, status=sent (250 2.0.0 OK 1359946989 p10si12995839pay.148 - gsmtp)
Feb 4 10:03:07 system postfix/smtpd[11419]: disconnect from unknown[192.168.0.90]
Feb 4 10:03:05 system postfix/smtpd[11426]: disconnect from localhost.localdomain[127.0.0.1]
Feb 4 10:03:05 system postfix/qmgr[11140]: 3E56F80C3F: removed
Feb 4 10:03:05 system postfix/pipe[11424]: 3E56F80C3F: to=, relay=mailprefilter, delay=0.25, delays=0.15/0/0/0.1, dsn=2.0.0, status=sent (delivered via mailprefilter service)
Feb 4 10:03:05 system postfix/qmgr[11140]: 6489680C44: from=, size=2889, nrcpt=1 (queue active)
Feb 4 10:03:05 system postfix/cleanup[11427]: 6489680C44: message-id=<004301ce0284$26f8c7e0$74ea57a0$@mydomain.net>
Feb 4 10:03:05 system postfix/smtpd[11426]: 6489680C44: client=localhost.localdomain[127.0.0.1]
Feb 4 10:03:05 system postfix/smtpd[11426]: connect from localhost.localdomain[127.0.0.1]
Feb 4 10:03:05 system postfix/qmgr[11140]: 3E56F80C3F: from=, size=2710, nrcpt=1 (queue active)
Feb 4 10:03:05 system postfix/cleanup[11423]: 3E56F80C3F: message-id=<004301ce0284$26f8c7e0$74ea57a0$@mydomain.net>
Feb 4 10:03:05 system postfix/smtpd[11419]: 3E56F80C3F: client=unknown[192.168.0.90], sasl_method=LOGIN, sasl_username=user1@mydomain.net
Feb 4 10:03:05 system postfix/smtpd[11419]: connect from unknown[192.168.0.90]
I didn't receive any error message in the log file. It should throw out: 554 <user@remote>: Access denied, right?

descendant_command 02-04-2013 12:19 AM
If it is working properly I would expect the client to get rejected during the SMTP session.
You should turn on debug logging and follow each mail through the process.

blaszta 02-11-2013 09:55 PM
Solved!
 
Got busy with something else, never had chance to post here. Thanks a lot descendant_command for the help, you're right by asking 'Are they explicitly allowed by an earlier rule?'

Here are the rule in smtpd_recipient_restrictions:
Code:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/restricted_senders
I change the order to:
Code:
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
It works now, the server give nasty Undeliverable error message to user if they try to send email outside of local_domains ;)

descendant_command 02-12-2013 12:00 AM
Nice, thanks for posting back your solution.


All times are GMT -5. The time now is 06:08 AM.