Re: whitelisting incoming /outgoing mail

Tue, 05 Jan 2010 07:47:42 -0800 

On Jan 5, 2010, at 10:13 AM, Wietse Venema wrote:

> Eric Williams:
>> 
>> On Jan 5, 2010, at 9:57 AM, Wietse Venema wrote:
>> 
>>> Eric Williams:
>>>> On Tue, Jan 5, 2010 at 9:12 AM, Stan Hoeppner 
>>>> <s...@hardwarefreak.com>wrote:
>>>> 
>>>>> Eric Williams put forth on 1/5/2010 8:02 AM:
>>>>> 
>>>>>> I would like to apply the same access list so that users sending mail
>>>>> through this server can only reach those same domains.
>>>>>> 
>>>>>> I've tried lots of recipient checking configs but nothing works so far.
>>>>> I'd rather not do this with the firewall, keeping the whitelist monitored 
>>>>> by
>>>>> postfix only.
>>>>> 
>>>>> So you want a dedicated smtp relay server that will only transfer mail
>>>>> between a
>>>>> handful of domains?
>>> 
>>> You could use a tool such as Fail2Ban to watch the maillog file
>>> and update a Postfix access table.
>>> 
>>> The steps would be 
>>> 
>>> 1) See if the domain is already in the Postfix access table.
>>> 2) Add the domain.
>>> 3) Rebuild the table.
>>> 
>>> Example add-domain script:
>>> 
>>>   #!/bin/sh
>>> 
>>>   # usage: add-domain name
>>> 
>>>   case $# in
>>>    1) postmap -q "$1" the-postfix-access-table >/dev/null || {
>>>         echo "$1" OK >>the-postfix-access-table
>>>         postmap the-postfix-access-table
>>>     };;
>>>    *) echo Usage: $0 domainame 1>&2; exit 1;;
>>>   esac
>>> 
>>> If you handle lots of mail you will want to read and update the
>>> database files without running postmap commands for each email
>>> logfile record.
>>> 
>>>     Wietse
>> 
>> 
>> 
>> This is great info. I'll look into applying that is some form. 
>> 
>> I think what I'm still missing is the proper restriction in the 
>> smptd_recipient_restrictions section to restrict the outgoing mail. 
>> 
>> check_sender_access hash:/etc/postfix/access 
>> 
>> works for incoming blocking. I haven't found the right config for the 
>> blocking. 
>> 
>> It if is implied in your response I apologize for my in-experience with 
>> this. 
> 
> smtpd_sender_restrictions =
>    permit_mynetworks
>    permit_sasl_authenticated
>    check_sender_access hash:/etc/postfix/sender_access
>    reject
> 
>       Wietse



Thanks for the pointer. It still doesn't seem to be working to restrict 
outgoing email to a list of domains. I'll keep digging in and testing but if 
I'm missing something very obvious please be as blunt as you like. This is my 
first attempt at these type of mods. 

Thanks.

EW

Reply via email to