On 05/04/2012 09:25, Eric Kimminau wrote:
On 4/5/2012 12:58 AM, Viktor Dukhovni wrote:
On Wed, Apr 04, 2012 at 03:57:00PM -0400, Eric Kimminau wrote:
My goal is to limit outbound email to only three domains. All other email
destined for any other domain should be redirected to a single, valid
internal mail box.
I take it these are *destination* (recipient) domains, not *origin*
(sender) domains.
Correct. domain1.com is the local domain, domain2 and domain3 are
outside the local network and will pass through mailhost.domain1.com if
they leave the local system.
It isn't working. Email to addresses outside this domain are still being
delivered.
Of course not, your configuration is trying to filter sender domains:
/etc/postfix/access:
domain1.com OK
domain2.com OK
domain3.com OK
. REDIRECTvalid@email.address
Fortunately, the "." pseudo-domain is not one of the Postfix address
lookup keys, so your access list is a noop.
I considered adding several lines for TLD, such as com, org, net, etc.
But, as you have said this only apparently handles inbound mail, not
outbound. My assumption was that mail connecting to the MTA, regardless
of source, was considered inbound.
# Sender restrictions:
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_recipient_access hash:/etc/postfix/access
permit_auth_destination
reject
# Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_destination
check_sender_access hash:/etc/postfix/access
This would be a big problem if the table worked as intended.
reject_invalid_hostname
reject_non_fqdn_sender
reject_non_fqdn_hostname
reject_unknown_sender_domain
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject
Since this host accepts mail only from machines in mynetworks,
it is simpler to just add the desired domains to
you could use a little trick with mysql query.
the mysql query (cf files) can contain either a real query or can be
"fake" query such as "select 1 + 1;" or with "if" statements.
so you can use a sql query to reject only if the recipient is out of
three domains.
means like "select "REJECT; unauth dest" where domains like "%d";
or something like that if you do have a domain list.
and you can also do some trick to masquerade any other domain then the
three you are allowing using a mysql query that will always return a
"local\virtual" domain that you are hosting and using a "catch all"
alias for this domain to catch all the mails that are being sent to the
outer world.
there is one problem with the masquerade thingy.
it will replace all the destined domains.
it will be better to use some mail graphing software or to log all the
recipients with a let say mysql query (i dont know if postfix works with
nested update in a select query).
other option is to use a catch all alias in the select query that
negates three domains and will alias anything else into a local address.
hope it will help you with your stress but dont push it too much cause
the fact that you want to learn a very complex and well written and
designed MTA in couple of hours can lead you to a situation that you
dont know how it works and funny stuff will happen.
Good luck and Regards,
Eliezer
relay_domains = domain1.com, ...
And set:
default_transport = error:5.1.2 Destination unreachable
You'll need that anyway, since "reject_unauth_destination" at the
top of the recipient restrictions would otherwise deny traffic
to these domains.
Your configuration shos signs of being slapped together through
multiple rounds of unsuccessful experimentation. I strongly
suggest you take the time to understand address classes and
access controls and deploy something much simpler.
Viktor,
I sincerely appreciate your response. And while I certainly also
appreciate the suggestion, I need a solution implemented by Friday
morning. RTFM, while it will teach me to fish, will have me losing out
on the proverbial worm. It absolutely was slapped together. My postfix
learning curve started about 2 hours before I sent my mail and I have
about 8 hours Thursday to attempt to implement a workable solution.
I would LOVE to deploy something much simpler. If you believe that I do
not need smtpd_sender_restrictions or smtpd_recipient_restrictions on a
host that will never be directly reachable from the internet and is only
going to be used in pre-production/ development environments, Im all for
removing it.
If adding to /etc/postfix/main.cf <http://www.postfix.org/postconf.5.html>:
relay_domains = domain1.com,domain2.com,domain3.com
default_transport = error:5.1.2 Destination unreachable
Solves my problem, this is beautifully elegant.
Im assuming I also do not need to add the following?
local_transport = error:5.1.2 local transport not permitted
relay_transport = error:5.1.2 relay transport not permitted
Is there a way to also redirect any attempt to send anything to any
domain other than what has been defined in relay_domains to a defined
email address?
Thank you again!
Eric
--
Eric Kimminau
eak at kimminau dot org
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
