Last month I asked for advice on limiting specific senders
to specific recipients, and Wietse offered this:
/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = joe_user_acl
joe_user_acl =
check_recipient_access hash:/etc/postfix/joe_user_recipients, reject
/etc/postfix/restricted_senders:
joe_user@some.example joe_user_acl
/etc/postfix/joe_user_recipients:
foo@one.example OK
bar@two.example OK
I tried it on my small test system and it worked fine. But then we
tried it on the real much more complicated system, and this happened
when sending to a recipient that is not in the allowed list:
In: RCPT To:<operational-vulnerabil...@mybiz.com>
Out: 451 4.3.5 Server configuration error
Well, that's strange. Mail from people not on the restricted list was
fine. Where should I start looking? I can't send you the whole main.cf
without getting permission that will take a while, but here's what I
hope might be relevant bits. For some reason lost in the mists of history
they use lmdb: rather than hash: for their hash tables. Should that matter?
R's,
John
smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 2
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 10
smtpd_hard_error_limit = ${stress?1}${stress:4}
smtpd_recipient_limit = 10
smtpd_recipient_overshoot_limit = 10
smtpd_soft_error_limit = 2
smtpd_starttls_timeout = ${stress?10}${stress:15}s
smtpd_timeout = ${stress?10}${stress:15}s
smtpd_client_event_limit_exceptions = (list of domains and IPs not related to
any restricted ones)
body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
smtpd_client_restrictions =
smtpd_sender_login_maps = lmdb:/etc/postfix/accounts
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_hostname
reject_non_fqdn_hostname
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_checks
check_client_access cidr:/etc/postfix/ipv6_client_check.cidr
check_sender_access lmdb:/etc/postfix/access
check_sender_mx_access cidr:/etc/postfix/bogus_mx
check_recipient_access lmdb:/etc/postfix/recipient_access
check_recipient_maps
permit_mynetworks
reject_sender_login_mismatch
reject_invalid_hostname
reject_invalid_helo_hostname
reject_non_fqdn_hostname
reject_non_fqdn_helo_hostname
# reject_unknown_helo_hostname
# reject_unknown_client_hostname
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
# reject_unlisted_sender
# reject_unverified_sender
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unlisted_recipient
reject_unverified_recipient
reject_unauth_destination
permit
# commented out restriction stuff
#smtpd_sender_restrictions = check_sender_access
lmdb:/etc/postfix/restricted_senders
#smtpd_restriction_classes = xxx_user_acl
#xxx_user_acl = check_recipient_access
lmdb:/etc/postfix/allowed_recipients_xxx, reject
# cat restricted_senders
testsen...@abc.com allowed_recipients_xxx
# cat allowed_recipients_xxx
testa...@mybiz.com OK
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
