On Fri, Jul 12, 2024 at 12:42:28AM +0200, John Fawcett via Postfix-users wrote:
> On 12/07/2024 00:14, John R. Levine via Postfix-users wrote:
> > Last month I asked for advice on limiting specific senders
> > to specific recipients, and Wietse offered this:
> >
> > /etc/postfix/main.cf:
> > smtpd_sender_restrictions =
> > check_sender_access hash:/etc/postfix/restricted_senders
> >
> > smtpd_restriction_classes = joe_user_acl
> > joe_user_acl =
> > check_recipient_access hash:/etc/postfix/joe_user_recipients,
> > reject
> >
> > /etc/postfix/restricted_senders:
> > joe_user@some.example joe_user_acl
> >
> > /etc/postfix/joe_user_recipients:
> > foo@one.example OK
> > bar@two.example OK
> >
> > I tried it on my small test system and it worked fine. But then we
> > tried it on the real much more complicated system, and this happened
> > when sending to a recipient that is not in the allowed list:
> >
> > In: RCPT To:<operational-vulnerabil...@mybiz.com>
> > Out: 451 4.3.5 Server configuration error
That's all that SMTP clients get to see, but the logs (that you should
have known to post) had more details. Perhaps missing or typoed
"smtpd_restriction_classes", or failure to "postmap" one of the tables?
But, see below for the most likely reason...
> > For some reason lost in the mists of history they use lmdb: rather
> > than hash: for their hash tables. Should that matter?
No, but they do have to "postmap" both tables.
Why the source "main.cf" file, and not "postconf -nf" output?
> > reject_unknown_sender_domain
> > # reject_unlisted_sender
> > # reject_unverified_sender
> > reject_non_fqdn_recipient
> > reject_unknown_recipient_domain
> > reject_unlisted_recipient
> > reject_unverified_recipient
> > reject_unauth_destination
> > permit
> >
> > # commented out restriction stuff
> > #smtpd_sender_restrictions = check_sender_access
> > lmdb:/etc/postfix/restricted_senders
And you've folded lines in the output changing semantics...
> > #smtpd_restriction_classes = xxx_user_acl
> > #xxx_user_acl = check_recipient_access
> > lmdb:/etc/postfix/allowed_recipients_xxx, reject
> >
> >
> >
> > # cat restricted_senders
> > testsen...@abc.com allowed_recipients_xxx
"allowed_recipients_xxx" does not look like "xxx_user_acl",
that's the file name, rather than the restriction class...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
