Greetings,
I have a fairly simple setup for my mail server running Ubuntu 16.04. I
have to restrict some internal aliases like a...@domain.tld to only some
internal senders but not all, so mynetworks is not the way to go.
I got the example from
http://www.postfix.org/RESTRICTION_CLASS_README.html as follows, but it
is not working, could someone please help?
postconf -n (formatted the restrictions for clarity):
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/header_checks.regexp
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 31457280
mydestination =
myhostname = netuno.domain.tld
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 (...)
myorigin = /etc/mailname
proxy_interfaces = a.b.c.d
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = regexp:/etc/postfix/sender_maps.regexp,
ldap:/etc/postfix/ldapowner.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/imap.domain.tld/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/imap.domain.tld/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
tls_preempt_cipherlist = yes
virtual_alias_maps = hash:/etc/postfix/aliases,
ldap:/etc/postfix/ldapaliases.cf, regexp:/etc/postfix/aliases.regexp
virtual_gid_maps = static:3000
virtual_mailbox_base = /mnt/maildirs/
virtual_mailbox_domains = ldap:/etc/postfix/ldaptransport.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldaprcpt.cf
virtual_minimum_uid = 100
virtual_transport = dovecot
virtual_uid_maps = static:3000
smtpd_relay_restrictions =
permit_sasl_authenticated,
defer_unauth_destination
smtpd_sender_restrictions =
reject_non_fqdn_sender
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/protected_destinations,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
protected_destinations:
a...@domain.tld insiders_only
insiders:
b...@domain.tld OK
With this, a user like j...@domain.tld is able to send to
a...@domain.tld, which is not the desired behavior.
Both protected_destinations and insiders where properly postmap'd and
postfix restarted. Yet, it does not work. If you have any other hint
about this config, please share it. :)
Thanks, best regards.
--
Marcio Merlone
