Andrew Grant a Ă©crit : > Hello, > > I have been trying to configure smtpd_restriction_classes to limit > access to my internal mailing lists (/etc/aliases). Unfortunately the > email is still going through even though I thought I blocked all email > to a specific alias via a class. > > To hopefully clear up any confusion, I want to concentrate on one > class only. That is the "mgmt_access" class. This is meant to stop all > email going to the "management.t...@testdomain.com" list unless it > originates from one address, "not...@testdomain.com". >
you want "from" but you check the recipient: mgmt_access = check_RECIPIENT_access hash:/etc/postfix/mgmt_access, reject > The two files that affect this are: restricted_recipients and > mgmt_access. Those files look like this: > > restricted_recipients: > management.t...@testdomain.com mgmt_access > > mgmt_access: > not...@testdomain.com OK > > Unfortunately, all email sent to "management.t...@testdomain.com" is > currently allowed through. > > The logs for an email sent to that account look like this: > > May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: connect from > andrew-grant.testdomain.com[10.1.2.166] > May 6 15:42:39 miniserve-rmd-1 postfix/smtpd[56243]: 342418FAD8: > client=andrew-grant.testdomain.com[10.1.2.166], sasl_method=CRAM-MD5, > sasl_username=andrewgrant > May 6 15:42:39 miniserve-rmd-1 postfix/cleanup[56249]: 342418FAD8: > message-id=<da037ccf-cc2e-4d59-b8f6-20bcbd55c...@testdomain.com> > May 6 15:42:39 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: > from=<andrewgr...@testdomain.com>, size=6283, nrcpt=1 (queue active) > May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: connect from > localhost[127.0.0.1] > May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: A60998FAE9: > client=localhost[127.0.0.1] > May 6 15:42:43 miniserve-rmd-1 postfix/cleanup[56249]: A60998FAE9: > message-id=<da037ccf-cc2e-4d59-b8f6-20bcbd55c...@testdomain.com> > May 6 15:42:43 miniserve-rmd-1 postfix/smtpd[56256]: disconnect from > localhost[127.0.0.1] > May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: > from=<andrewgr...@testdomain.com>, size=6968, nrcpt=1 (queue active) > May 6 15:42:43 miniserve-rmd-1 postfix/smtp[56250]: 342418FAD8: > to=<management.t...@testdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, > delay=4.5, delays=0.01/0.01/0/4.5, dsn=2.0.0, status=sent (250 2.0.0 > Ok, id=55547-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as > A60998FAE9) > May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: 342418FAD8: removed > May 6 15:42:43 miniserve-rmd-1 postfix/pipe[56259]: A60998FAE9: > to=<andrewgr...@testdomain.com>, > orig_to=<management.t...@testdomain.com>, relay=dovecot, delay=0.04, > delays=0/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot > service) > May 6 15:42:43 miniserve-rmd-1 postfix/qmgr[55740]: A60998FAE9: removed > > Please see the configuration and postconf -n output and let me know > what I have done wrong. > > main.cf CONFIGURATION FILE: > queue_directory = /private/var/spool/postfix > command_directory = /usr/sbin > daemon_directory = /usr/libexec/postfix > mail_owner = _postfix > myhostname = mail.testdomain.com > mydomain = testdomain.com > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain > unknown_local_recipient_reject_code = 550 > debug_peer_level = 2 > debugger_command = > PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin > xxgdb $daemon_directory/$process_name $process_id & sleep 5 > > sendmail_path = /usr/sbin/sendmail > newaliases_path = /usr/bin/newaliases > mailq_path = /usr/bin/mailq > setgid_group = _postdrop > html_directory = /usr/share/doc/postfix/html > manpage_directory = /usr/share/man > sample_directory = /usr/share/doc/postfix/examples > readme_directory = /usr/share/doc/postfix > dovecot_destination_recipient_limit = 1 > mailbox_size_limit = 0 > smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL > mydomain_fallback = localhost > message_size_limit = 0 > biff = no > mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241 > > smtpd_client_restrictions = > permit_sasl_authenticated, > reject_rbl_client zen.spamhaus.org, > permit > > recipient_delimiter = + > virtual_alias_maps = > smtpd_pw_server_security_options = cram-md5,gssapi > enable_server_options = yes > smtpd_sasl_auth_enable = yes > smtpd_use_pw_server = yes > error_notice_recipient = postmaster > notify_classes = policy, protocol, resource, software > > smtpd_restriction_classes = internal_domains, everyone_access, > send_only, mgmt_access > > internal_domains = check_recipient_access > hash:/etc/postfix/internal_domains, reject > everyone_access = check_recipient_access > hash:/etc/postfix/everyone_access, reject > send_only = check_recipient_access hash:/etc/postfix/send_only, reject > mgmt_access = check_recipient_access hash:/etc/postfix/mgmt_access, reject > > smtpd_sender_restrictions = > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > permit > > smtpd_recipient_restrictions = > check_sender_access hash:/etc/postfix/restricted_senders, > check_recipient_access hash:/etc/postfix/restricted_recipients, > permit_sasl_authenticated, > reject_unauth_pipelining, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_unauth_destination, > permit > > mailbox_transport = dovecot > inet_interfaces = all > smtpd_tls_cert_file = > /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem > smtpd_tls_key_file = > /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem > relayhost = msg.testdomain.com > smtpd_use_tls = yes > smtpd_enforce_tls = no > smtpd_delay_reject = yes > smtpd_helo_required = yes > > smtpd_helo_restrictions = > permit_sasl_authenticated, > reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > permit > > header_checks = pcre:/etc/postfix/custom_header_checks > content_filter = smtp-amavis:[127.0.0.1]:10024 > tls_random_source = dev:/dev/urandom > local_recipient_maps = > smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd > smtp_sasl_auth_enable = yes > smtpd_tls_CAfile = > /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem > maps_rbl_domains = > > > postconf -n COMMAND OUTPUT: > biff = no > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = smtp-amavis:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > enable_server_options = yes > error_notice_recipient = postmaster > header_checks = pcre:/etc/postfix/custom_header_checks > html_directory = /usr/share/doc/postfix/html > inet_interfaces = all > local_recipient_maps = > mail_owner = _postfix > mailbox_size_limit = 0 > mailbox_transport = dovecot > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > maps_rbl_domains = > message_size_limit = 0 > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain > mydomain = testdomain.com > mydomain_fallback = localhost > myhostname = mail.testdomain.com > mynetworks = 127.0.0.0/8,127.0.0.1/32,10.1.2.241 > newaliases_path = /usr/bin/newaliases > notify_classes = policy, protocol, resource, software > queue_directory = /private/var/spool/postfix > readme_directory = /usr/share/doc/postfix > recipient_delimiter = + > relayhost = msg.testdomain.com > sample_directory = /usr/share/doc/postfix/examples > sendmail_path = /usr/sbin/sendmail > setgid_group = _postdrop > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd > smtpd_client_restrictions = permit_sasl_authenticated, > reject_rbl_client zen.spamhaus.org, permit > smtpd_delay_reject = yes > smtpd_enforce_tls = no > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_sasl_authenticated, > reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit > smtpd_pw_server_security_options = cram-md5,gssapi > smtpd_recipient_restrictions = check_sender_access > hash:/etc/postfix/restricted_senders, check_recipient_access > hash:/etc/postfix/restricted_recipients, permit_sasl_authenticated, > reject_unauth_pipelining, reject_non_fqdn_recipient, > reject_unknown_recipient_domain, reject_unauth_destination, permit > smtpd_restriction_classes = internal_domains, everyone_access, > send_only, mgmt_access > smtpd_sasl_auth_enable = yes > smtpd_sender_restrictions = permit_sasl_authenticated, > reject_non_fqdn_sender, reject_unknown_sender_domain, permit > smtpd_tls_CAfile = > /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.chain.pem > smtpd_tls_cert_file = > /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.cert.pem > smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL > smtpd_tls_key_file = > /etc/certificates/mail.testdomain.com.A2124A801965D56ECA8EFA8240C82E7D9F4D73F0.key.pem > smtpd_use_pw_server = yes > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 550 > virtual_alias_maps =
