Re: UCE and restriction classes

Sun, 07 Sep 2008 09:03:56 -0700 

Sam Przyswa wrote:

Hi all,
I succeed to limit some local users to send mail only on my local domain, but I would like to limit the mail received ONLY from the local users too for these users, no mails from internet (others domains). 

There is my actual Postfix config:

/etc/postfix/main.cf:
...
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders 

this is wrong. see below.


       permit_mynetworks
       reject_unauth_destination
       reject_unknown_sender_domain
       permit
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
...

/etc/postfix/restricted_senders:
...
[EMAIL PROTECTED]                addr_class_1
[EMAIL PROTECTED]       addr_class_1
[EMAIL PROTECTED]        addr_class_1
[EMAIL PROTECTED]       addr_class_1
...

/etc/postfix/local_domains:
mjc-idf.asso.fr           OK
gw.mjc-idf.asso.fr     OK

/etc/postfix/addr_class_1:
mjc-idf.asso.fr          OK
now, you are an open relay. any attackers who sends you mail from an address @mjc-idf... can use your system as a relay.
do never ever return OK in smtpd_recipient_restrictions before reject_unauth_destination based on information that the sender can forge. this include sender and helo. 

use the following instead

smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/restricted_senders

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_sender_domain
an OK in smtpd_sender_restrictions will not skip smtpd_recipient_restrictions, so no open relay. 


--------------------------------------
What I have to add to restrict the received mail only from local domain for these users ?
not clear what you mean by "from local domain"? ("domain" is ambiguous: is it the domain of the IP? is it the domain in the sender address?). 

if you only want mail from mynetworks, simply do

smtpd_recipient_restrictions =
        permit_mynetworks
        reject
if you want something else, please explain the real problem you are trying to solve (explain your setup). if you feel more confortable with french, contact me offlist and I'll summarize here.

Reply via email to