Noel Jones wrote:
Vernon A. Fort wrote:
Noel Jones wrote:
Vernon A. Fort wrote:
I have a setup which we use an external mail filtering service and
need to limit/restrict external client access. Meaning the MX for
the domain points to the filtering service and they relay checked
email. I need to limit access to just these network blocks but
also allow sasl authenticated as well as the internal network.
I also do not want to blindly trust this service so i would like to
check the IP address as well as ensuring the recipient is for my
domain.
can someone point me to an example or man page. I cannot seem to
find anything related to limiting inbound smtp clients/servers.
Vernon
Minimal config:
# main.cf
# do not include filter service IPs in mynetworks
mynetworks = 127.0.0.0/8 ...
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_client_access cidr:/etc/postfix/filter_service
reject
# filter_service
192.1.0.0/24 OK
... other cidr ranges filter service uses ...
-- Noel Jones
Hey Noel,
What i have now under the smtpd_*_restrictions:
smtpd_sender_restrictions =
smtpd_client_restrictions =
smtpd_etrn_restrictions = reject
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_helo_access .....
check_sender_access ...
check_client_access (for white listing client sites - just in
case they get rbl listed)
reject_rbl_client ....
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
What i 'thinking' of is:
smtpd_sender_restrictions =
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access cidr:/etc/postfix/filter_service.cidr,
reject
The filter_service.cidr would look like
1.2.3.4/29 OK
1.2.4.4/29 OK
0.0.0.0/0 REJECT
Would it be redundant to have the permit_sasl and permit_mynetworks
under both the smtpd_client and smtpd_recipient?
Vernon
You (usually) need permit_sasl_authenticated and permit_mynetworks
under each smtpd_*_restrictions in use to exempt trustworthy clients
from those checks. If you use a whitelist you will likely need to
duplicate that under each section too. That's one reason it's often
easier to put everything under smtpd_recipient_restrictions.
To add additional restrictions, refer to the example I provided earlier:
# do not include filter service IPs in mynetworks
mynetworks = 127.0.0.0/8 ...
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
... other restrictions here ...
check_client_access cidr:/etc/postfix/filter_service
reject
Important Note: the various check_client_access, reject_rbl_client,
various helo checks, and reject_unauth_pipelining restrictions will
see the filter service connection info - not the original sender - so
they are quite limited in usefulness to you. You could use
reject_rhsbl_sender to reject bad sender domains if you can find a
service that you consider trustworthy enough for rejections.
-- Noel Jones
I agree, the simpler the better. With the cidr file, i ONLY want to
accept email from this filter service meaning do i need to put the
0.0.0.0/0 REJECT at the end of the list?
Vernon
