RE: Relay restrictions

[Michael.Larsen]

With Noel's explanation I think I got it figured out, but before I try it I'd 
appreciate other brains validating what I've created as a sanity check. Here's 
what I have:

<snip from main.cf>
###
smtpd_recipient_restrictions =
        # Check what hosts are allowed to relay. Anything not
        # listed in the access table is discarded.

        check_client_access hash:/etc/postfix/client_access

        # See what addresses are allowed to relay as senders.
        # Check them against allowed recipients in recipient_access
        # under smtpd_restriction_classes.

        check_sender_access hash:/etc/postfix/sender_access

        check_client_access static:discard
        reject_unauth_destination
###
smtpd_restriction_classes = authorized_recipients
        authorized_recipients = check_recipient_access 
hash:/etc/postfix/recipient_access, discard
###
</snip from main.cf>

<sender_access>
send...@wf.com          authorized_recipients
send...@wf.com          authorized_recipients
send...@wf.com          authorized_recipients
send...@wf.com          authorized_recipients
send...@wf.com          authorized_recipients
send...@wf.com          authorized_recipients
</sender_access>

<recipient_access>
send...@wf.com          OK
send...@wf.com          OK
recipie...@wf.com               OK
recipie...@wf.com               OK
recipie...@wf.com               OK
recipie...@wf.com               OK
</recipient_access>

So if I did this right, any host listed in client_access will be able to relay 
from anyone, to anyone (I'm actually thinking I want to change that, but first 
things first).

Any address listed in sender_access can relay, but only to the recipients 
listed in recipient_access. Mail sent to recipients not allowed under 
smtpd_restriction_classes is discarded (vs. rejected).

Is this setup correct for that? Thanks in advance.

Thanks for the help, Noel and all.


-----Original Message-----
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Wednesday, December 29, 2010 11:28 AM
To: postfix-users@postfix.org
Subject: Re: Relay restrictions

On 12/29/2010 10:31 AM, michael.lar...@wellsfargo.com wrote:
> Back in August several people helped me with the problem
> linked here:
> _http://www.mail-archive.com/postfix-users@postfix.org/msg26629.html_
> It was almost what I needed, but I didn't completely
> understand what I was asking for at the time, and the
> configuration is causing problems. I need to implement some
> further restrictions and can't figure out how to do it. The
> current restrictions in my main.cf look like this:
> smtpd_recipient_restrictions =
> check_client_access hash:/etc/postfix/client_access
> check_sender_access hash:/etc/postfix/sender_access
> check_recipient_access hash:/etc/postfix/recipient_access
> check_client_access static:discard
> reject_unauth_destination
> An unintended consequence is that any address that is allowed
> as a sender is allowed to relay to anyone, even invalid
> addresses. I need to be able to specify a very small subset of
> valid addresses as recipients, based on who the sender is, and
> discard all the others. Since this setup is
> "first-match-wins", the relay doesn't evaluate anything past
> check_sender_access. I need it to evaluate sender, and if the
> sender is allowed, discard any recipient address that isn't
> explicitly allowed. I tried blacklisting the addresses I knew
> to, and that worked, but new and/or invalid addresses keep
> turning up in the test code, and the blacklist has become
> unmanageable.
> I need a way to implement
> "check_sender_access_AND_check_recipient_access". I assume
> Noel anticipated that need when he talked about using
> "smtpd_restriction_classes for multiple-factor tests", but
> reading the documentation didn't shed any light on how to
> implement in this situation. Can anyone help turn back the
> darkness?

Read this several times until it starts to make sense:
http://www.postfix.org/RESTRICTION_CLASS_README.html

Postfix restriction classes allow you to "nest" restrictions 
so that you can combine sender and recipient tests.  This will 
work for you if your list of allowed senders can send to any 
of the allowed recipients.  The example
http://www.postfix.org/RESTRICTION_CLASS_README.html#external
does just about exactly what you ask for, just use full 
recipient addresses instead of domains for the local_domains 
list (you can use a different name than local_domains in your 
setup).

If you need finer control - ie. each sender has their own list 
of allowed recipients, you'll need to use an external policy 
service to make those decisions. This is quite a bit more 
complex than restriction classes, but gives you much finer 
control over postfix decisions.
http://www.postfix.org/SMTPD_POLICY_README.html
Here are some pre-built policy servers; maybe one of them 
would help if you need fine-grained control.
http://www.postfix.org/addon.html#policy


   -- Noel Jones