Hello,
I found the solution by using in main.cf the
smtpd_relay_restrictions = permit_mynetworks,
check_sender_access
btree:$meta_directory/restricted_senders,
permit_sasl_authenticated,
reject_unauth_destination
directive. Works now.
This is too fragile, you're liable to create an open relay, if any of
the sender checks return "OK" based on the sender address alone.
I'd instead recommend putting these in
smtpd_sender_restrictions
which don't imply relay permissions, and rather implement the particular
from/to access rules intended.
On 06.11.24 11:44, Florian Piekert via Postfix-users wrote:
Thanks for pointing out this security hole I set up! I wasn't even aware yet
of smtpd_sender_restrictions directive... So I moved the access check there,
as in
smtpd_sender_restrictions = check_sender_access
btree:$meta_directory/restricted_senders
And this, too, works fine.
Thanks again to all.
I still think you should put this into the smtpd_recipient_restrictions, which
are evaluated for each recipient - this way you can reject some recipients,
while allowing others.
Since you have complained about
"Adding any restrictions like previously mentioned breaks smtpd there due to not
expected command line parameter."
...I would guess you made a mistype in your master.cf, common cases are spaces
before/after the '=' or missing spaces at the beginning of next line.
You can also configure restrictions for in main.cf like this:
mua_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
check_sender_access btree:$meta_directory/restricted_senders
permit_sasl_authenticated,
reject_unauth_destination
and in master.cf only use:
submission inet n - y - - smtpd
...
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
smtps inet n - y - - smtpd
...
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
Following this idea, I would put
mua_recipient_restrictions = permit_sasl_authenticated,
check_sender_access
btree:/etc/postfix/restricted_senders,
reject
in main.cf
and instead in master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_tls_security_level=may
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o content_filter=smtp-amavis:[127.0.0.1]:10026
Without the
smtpd_sender_restrictions = check_sender_access
btree:$meta_directory/restricted_senders
in main.cf sending is again possible and doesn't work as intended.
Or am I misunderstanding things/how it should work?
Florian
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
