Vernon A. Fort wrote:
Noel Jones wrote:
Vernon A. Fort wrote:
I have a setup which we use an external mail filtering service and
need to limit/restrict external client access. Meaning the MX for
the domain points to the filtering service and they relay checked
email. I need to limit access to just these network blocks but also
allow sasl authenticated as well as the internal network.
I also do not want to blindly trust this service so i would like to
check the IP address as well as ensuring the recipient is for my domain.
can someone point me to an example or man page. I cannot seem to
find anything related to limiting inbound smtp clients/servers.
Vernon
Minimal config:
# main.cf
# do not include filter service IPs in mynetworks
mynetworks = 127.0.0.0/8 ...
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_client_access cidr:/etc/postfix/filter_service
reject
# filter_service
192.1.0.0/24 OK
... other cidr ranges filter service uses ...
-- Noel Jones
Hey Noel,
What i have now under the smtpd_*_restrictions:
smtpd_sender_restrictions =
smtpd_client_restrictions =
smtpd_etrn_restrictions = reject
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_helo_access .....
check_sender_access ...
check_client_access (for white listing client sites - just in case
they get rbl listed)
reject_rbl_client ....
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
What i 'thinking' of is:
smtpd_sender_restrictions =
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access cidr:/etc/postfix/filter_service.cidr,
reject
The filter_service.cidr would look like
1.2.3.4/29 OK
1.2.4.4/29 OK
0.0.0.0/0 REJECT
Would it be redundant to have the permit_sasl and permit_mynetworks
under both the smtpd_client and smtpd_recipient?
Vernon
You (usually) need permit_sasl_authenticated and
permit_mynetworks under each smtpd_*_restrictions in use to
exempt trustworthy clients from those checks. If you use a
whitelist you will likely need to duplicate that under each
section too. That's one reason it's often easier to put
everything under smtpd_recipient_restrictions.
To add additional restrictions, refer to the example I
provided earlier:
# do not include filter service IPs in mynetworks
mynetworks = 127.0.0.0/8 ...
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
... other restrictions here ...
check_client_access cidr:/etc/postfix/filter_service
reject
Important Note: the various check_client_access,
reject_rbl_client, various helo checks, and
reject_unauth_pipelining restrictions will see the filter
service connection info - not the original sender - so they
are quite limited in usefulness to you. You could use
reject_rhsbl_sender to reject bad sender domains if you can
find a service that you consider trustworthy enough for
rejections.
-- Noel Jones
