PDA

View Full Version : Postfix: reject all senders except one mail address



bendeichp
18-Nov-2011, 11:46
Hi Forum,

is that even possible to accomplish?

I started with:


Code:
--------------------


$ postconf | grep smtpd_sender_restrictions
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access

$ cat access
allowed@dom.ain OK
* REJECT

--------------------


But wildcard "*" seems to be no available char in the access table, I
tried something different (First one matches wins, right?):

Code:
--------------------

allowed@dom.ain OK
127.0.0.1 REJECT
localhost REJECT

--------------------


Also didn't work.

Even this config

Code:
--------------------

127.0.0.1 REJECT
localhost REJECT

--------------------

let me send mails via "-telnet localhost 25-"

Of course after every change I did a -postmap access- and restarted
postfix...

Any suggestions?

Thanks in advance,
Pascal


--
"Have you tried turn it off and on again?"
------------------------------------------------------------------------
bendeichp's Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404

bendeichp
22-Nov-2011, 09:26
After some testing i figured out, one way is to use regexp.
Here are the parts, that I changed and which are different now from the
default sles config:



Code:
--------------------

main.cf:
mynetworks_style = host
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/access
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

access:
!/^noreply@dom.ain$/ REJECT

--------------------


With this config, only smtp connections from localhost are accepted and
only one sender address: noreply@dom.ain.
That was my intention :)

Cheers,
Pascal


--
"Have you tried turn it off and on again?"
------------------------------------------------------------------------
bendeichp's Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404

MoserHans
23-Nov-2011, 10:56
bendeichp;2155509 Wrote:
> After some testing i figured out, one way is to use regexp.
> Here are the parts, that I changed and which are different now from the
> default sles config:
>
>
> >
Code:
--------------------
> >
> main.cf:
> mynetworks_style = host
> smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/access
> smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
--------------------
> >
It is better style to just use smtpd_recipient_restrictions and collect
all your restrictions there.

Code:
--------------------
smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/access,
permit_mynetworks,
reject_unauth_destination
--------------------


> With this config, only smtp connections from localhost are accepted and
> only one sender address: noreply@dom.ain.
> That was my intention :)
To restrict connecting host use check_client_access, that is why you IP
address try failed - the sending IP address is not the "sender", it the
client.
But if you only want localhost to connect, you can restict the listing
interfaces to localhost by inet_interfaces = loopback-only


--
MoserHans
------------------------------------------------------------------------
MoserHans's Profile: http://forums.novell.com/member.php?userid=53101
View this thread: http://forums.novell.com/showthread.php?t=448404

bendeichp
24-Nov-2011, 08:46
> It is better style to just use smtpd_recipient_restrictions and collect
> all your restrictions there.
Even it seems very logical to me, to put sender related restrictions to
"smtpd_sender_restrictions" it's changed for better style:


> But if you only want localhost to connect, you can restict the listing
> interfaces to localhost by inet_interfaces = loopback-only
IMHO the man page said, that "mynetworks_style = host" will have the
same effect. Like always, there are many ways :)

Thanks,
Pascal


--
"Have you tried turn it off and on again?"
------------------------------------------------------------------------
bendeichp's Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404

MoserHans
24-Nov-2011, 10:46
bendeichp;2156160 Wrote:
> Even it seems very logical to me, to put sender related restrictions to
> "smtpd_sender_restrictions" it's changed for better style:
OK, but "permit_mynetworks" is what, a recipient_restriction? No, it is
a client_restriction, because it restricts the connecting hosts. But you
put it in "smtpd_recipient_restrictions", right? :)
By putting all restrictions in *recipient* you have full control over
the order in which the restrictions take place, you can have
client_restrictions after sender_restriction, what you can not do by
dividing the restrictions. Do you see, what I mean?
Have a look at 'Postfix SMTP relay and access control'
(http://www.postfix.org/SMTPD_ACCESS_README.html)
All restrictions but smtpd_recipient_restrictions are optional, even
though all restriction are only evaluated after RCTP TO anyway:> Current Postfix versions postpone the evaluation of client, helo and
> sender restriction lists until the RCPT TO or ETRN command.

> IMHO the man page said, that "mynetworks_style = host" will have the
> same effect. Like always, there are many ways :)
No, not really:
> Specify "mynetworks_style = host" when Postfix should "trust" only the
> local machine.
mynetworks and mynetworks_style influence the permit_mynetworks
restriction, not more. Port 25 is still accessable from anywhere else in
the network. Whereas inet_interfaces restricts the opened ports to the
network itself. This is a huge difference.


--
MoserHans
------------------------------------------------------------------------
MoserHans's Profile: http://forums.novell.com/member.php?userid=53101
View this thread: http://forums.novell.com/showthread.php?t=448404

bendeichp
24-Nov-2011, 16:36
Hi,

thanks for the explication.
> Have a look at Postfix SMTP relay and access control
I'll do that :)

Cheers,
Pascal


--
"Have you tried turn it off and on again?"
------------------------------------------------------------------------
bendeichp's Profile: http://forums.novell.com/member.php?userid=62174
View this thread: http://forums.novell.com/showthread.php?t=448404