Re: UCE and restriction classes

Sun, 07 Sep 2008 13:05:30 -0700 


mouss a écrit :

Sam Przyswa wrote:

Hi all,


I succeed to limit some local users to send mail only on my local 
domain, but I would like to limit the mail received ONLY from the 
local users too for these users,  no mails from internet (others 
domains).


There is my actual Postfix config:

/etc/postfix/main.cf:
...

smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/restricted_senders


this is wrong. see below.


       permit_mynetworks
       reject_unauth_destination
       reject_unknown_sender_domain
       permit
smtpd_restriction_classes = local_only

local_only = check_recipient_access hash:/etc/postfix/local_domains, 
reject

...

/etc/postfix/restricted_senders:
...
[EMAIL PROTECTED]                addr_class_1
[EMAIL PROTECTED]       addr_class_1
[EMAIL PROTECTED]        addr_class_1
[EMAIL PROTECTED]       addr_class_1
...

/etc/postfix/local_domains:
mjc-idf.asso.fr           OK
gw.mjc-idf.asso.fr     OK

/etc/postfix/addr_class_1:
mjc-idf.asso.fr          OK





now, you are an open relay. any attackers who sends you mail from an 
address @mjc-idf... can use your system as a relay.



do never ever return OK in smtpd_recipient_restrictions before 
reject_unauth_destination based on information that the sender can 
forge. this include sender and helo.


use the following instead

smtpd_sender_restrictions =
    check_sender_access hash:/etc/postfix/restricted_senders

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_sender_domain


an OK in smtpd_sender_restrictions will not skip 
smtpd_recipient_restrictions, so no open relay.    


Argh [EMAIL PROTECTED]

Thanks a lot !





--------------------------------------


What I have to add to restrict the received mail only from local 
domain for these users ?





not clear what you mean by "from local domain"? ("domain" is 
ambiguous: is it the domain of the IP? is it the domain in the sender 
address?).


I need for the users below (in restricted_senders) that don't receive
mails from internet, from an other domain than mjc-idf.asso.fr and only
from $mynetworks.


if you only want mail from mynetworks, simply do

smtpd_recipient_restrictions =
    permit_mynetworks
    reject



Yes but for all others users I have to received mails from internet,
local domain and $mynetworks.

Thanks again.

Sam.




--
Ce message a été vérifié par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a été trouvé.
For all your IT requirements visit: http://www.transtec.co.uk























					Reply via email to