Re: Block all but a few from sending mail offsite

John Swift Tue, 12 Oct 2010 10:26:33 -0700

Hello,

master.cf:


smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       1      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache


postconf -n:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = /usr/share/doc/postfix-2.7.1-documentation/html
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 1
minimal_backoff_time = 1
mydomain = XXX.com
myhostname = hq-relaytest-01
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 1
readme_directory = /usr/share/doc/postfix-2.7.1-documentation/readme
relay_domains = XXX.com
sample_directory = /etc/postfix
setgid_group = postdrop
smtpd_client_connection_count_limit = 100
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/throttle, check_relay_domains
unknown_local_recipient_reject_code = 550

I should explain what the throttle file in the smtpd_recipient_restrictions 
above is. We are attempting to have this server act as a relay. We want all 
mail from certain domains to go directly to the hold queue so that we can use a 
separate program to un-hold mails at a specific rate.

Contents of the throttle file:
XXX.com     HOLD

As per http://www.postfix.org/RESTRICTION_CLASS_README.html#external, I 
modified the smtpd_recipient_restrictions to the following:

smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/throttle, check_sender_access 
hash:/etc/postfix/restricted_senders, check_relay_domains

and added:

smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject


This worked as expected and blocked certain senders from sending mail outside 
the local domains. Now I am trying to convert this to block everyone except for 
certain senders to send mail outside the local domains.

I have tried modifying restricted_senders to be:
b...@xxx.com        HOLD
@                   REJECT

I was expecting this:
- b...@xxx.com can send to both to outside and inside domains (put in the hold 
queue).
- If anyone else sends to an inside domain, the mail is put in the hold queue 
(because of the throttle file, and my separate program will send this).
- If anyone else sends to an outside domain, the mail is rejected (because of 
the restricted_senders file above).

Am I completely going about this the wrong way? Should I not be thinking of 
smtpd_recipient_restrictions the way I think of firewall rules? I am looking 
for some pointers on how to properly do this.

Thank you.


--- On Mon, 10/11/10, Sahil Tandon <sa...@freebsd.org> wrote:

> From: Sahil Tandon <sa...@freebsd.org>
> Subject: Re: Block all but a few from sending mail offsite
> To: postfix-users@postfix.org
> Date: Monday, October 11, 2010, 5:00 PM
> On Mon, 2010-10-11 at 16:45:13 -0700,
> John Swift wrote:
> 
> > For my Postfix web server, I was able to get the
> example working that
> > was at the bottom of the web page here:
> > http://www.postfix.org/RESTRICTION_CLASS_README.html#external.
> In that
> > section of the web page, it says "It is left as an
> exercise for the
> > reader to change this into a scheme where only some
> users have
> > permission to send mail to off-site destinations, and
> where most users
> > are restricted." I've tried many many different
> things  but have been
> > unable to change the scheme where some users have
> permission to send
> > mail offsite and most users are restricted. Can I get
> a little help
> > with this? I'm guessing this is a small config change
> that I'm
> > completely missing.
> 
> Post the output of 'postconf -n' and anything else you
> changed to
> achieve your goal.  Then post the logging of what
> occurred, followed by
> what you expected to see.
> 
> -- 
> Sahil Tandon <sa...@freebsd.org>
>

Re: Block all but a few from sending mail offsite

Reply via email to