On 12/07/2024 00:14, John R. Levine via Postfix-users wrote:
Last month I asked for advice on limiting specific senders
to specific recipients, and Wietse offered this:
/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = joe_user_acl
joe_user_acl =
check_recipient_access hash:/etc/postfix/joe_user_recipients,
reject
/etc/postfix/restricted_senders:
joe_user@some.example joe_user_acl
/etc/postfix/joe_user_recipients:
foo@one.example OK
bar@two.example OK
I tried it on my small test system and it worked fine. But then we
tried it on the real much more complicated system, and this happened
when sending to a recipient that is not in the allowed list:
In: RCPT To:<operational-vulnerabil...@mybiz.com>
Out: 451 4.3.5 Server configuration error
Well, that's strange. Mail from people not on the restricted list was
fine. Where should I start looking? I can't send you the whole main.cf
without getting permission that will take a while, but here's what I
hope might be relevant bits. For some reason lost in the mists of
history
they use lmdb: rather than hash: for their hash tables. Should that
matter?
R's,
John
smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 2
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 10
smtpd_hard_error_limit = ${stress?1}${stress:4}
smtpd_recipient_limit = 10
smtpd_recipient_overshoot_limit = 10
smtpd_soft_error_limit = 2
smtpd_starttls_timeout = ${stress?10}${stress:15}s
smtpd_timeout = ${stress?10}${stress:15}s
smtpd_client_event_limit_exceptions = (list of domains and IPs not
related to any restricted ones)
body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
smtpd_client_restrictions =
smtpd_sender_login_maps = lmdb:/etc/postfix/accounts
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_hostname
reject_non_fqdn_hostname
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_checks
check_client_access cidr:/etc/postfix/ipv6_client_check.cidr
check_sender_access lmdb:/etc/postfix/access
check_sender_mx_access cidr:/etc/postfix/bogus_mx
check_recipient_access lmdb:/etc/postfix/recipient_access
check_recipient_maps
permit_mynetworks
reject_sender_login_mismatch
reject_invalid_hostname
reject_invalid_helo_hostname
reject_non_fqdn_hostname
reject_non_fqdn_helo_hostname
# reject_unknown_helo_hostname
# reject_unknown_client_hostname
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
# reject_unlisted_sender
# reject_unverified_sender
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unlisted_recipient
reject_unverified_recipient
reject_unauth_destination
permit
# commented out restriction stuff
#smtpd_sender_restrictions = check_sender_access
lmdb:/etc/postfix/restricted_senders
#smtpd_restriction_classes = xxx_user_acl
#xxx_user_acl = check_recipient_access
lmdb:/etc/postfix/allowed_recipients_xxx, reject
# cat restricted_senders
testsen...@abc.com allowed_recipients_xxx
# cat allowed_recipients_xxx
testa...@mybiz.com OK
John
I think it's best if you post your configuration (postconf -n) and the
log messages from this email sending. The logs can contain much better
info than the reject given in the smtp session.
Postfix supports mixing of different map types so I doubt that lmdb
usage is part of the issue, unless you didn't run postmap to create
restricted_senders.lmdb and allowed_recipients.lmdb
It looks as though you have commented out the stuff that Wietse advised
to add, so that is also unlikely to be part of the issue. Maybe in
rolling back these changes you inadvertently did something else.
In any case it looks as the commented stuff is not the same as what
Wietse advised. In the restricted_senders file Wietse said to use
"joe_user_acl" which in your example would be "xxx_user_acl", whereas
you have actually used "allowed_recipients_xxx".
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
