Allow relay from certain IPs AND allow only certain senders

2020-01-20 Thread ego...@gmail.com 
Hi,
I am configuring a Postfix relay hosted on a cloud provider. I would like
to allow relay access only to public IPs of my company AND to a precise
list of senders. Here are my main.cf configurations:

mynetworks = 127.0.0.0/8 1.2.3.4/23 4.5.6.7/32 7.8.9.1/24
smtpd_recipient_restrictions = permit_mynetworks,
check_sender_access
hash:/etc/postfix/allowed_senders,
reject_unauth_destination

allowed_senders is like this:

name.surn...@domain.com OK
john@domain.com OK
andrew.wh...@domain.com OK

If I keep these settings, allowed_senders is ignored, whether I put it
before or after permit_mynetworks settings. If I remove permit_mynetworks,
allowed_senders works normally. It looks like that
smtpd_recipient_restrictions options are in an OR relation; is there a way
to have them in an AND relation? Or do I have to put permit_mynetworks in
another postfix restriction option?

Re: Allow relay from certain IPs AND allow only certain senders

2020-01-20 Thread Viktor Dukhovni 
On Mon, Jan 20, 2020 at 10:35:24AM +0100, ego...@gmail.com wrote:

> I am configuring a Postfix relay hosted on a cloud provider. I would like
> to allow relay access only to public IPs of my company AND to a precise
> list of senders. Here are my main.cf configurations:
> 
> mynetworks = 127.0.0.0/8 1.2.3.4/23 4.5.6.7/32 7.8.9.1/24
> smtpd_recipient_restrictions = permit_mynetworks,
> check_sender_access 
> hash:/etc/postfix/allowed_senders,
> reject_unauth_destination
> 
> allowed_senders is like this:
> 
> name.surn...@domain.com OK
> john@domain.com OK
> andrew.wh...@domain.com OK

A belt-and-suspenders solution would be:

 mynetworks = 127.0.0.0/8 1.2.3.4/23 4.5.6.7/32 7.8.9.1/24

 # No relaying from untrusted networks
 smtpd_relay_restrictions =
permit_mynetworks,
reject_unauth_destination

 # Also, no relaying by unauthorized senders
 smtp_sender_restrictions =
 check_sender_access hash:/etc/postfix/allowed_senders,
 reject_unauth_destination

 # Apply UCE controls to remote clients
 smtpd_recipient_restrictions =
 permit_mynetworks,
 ... anti-spam rules if any ...
 
   allowed_senders:
 
 # Just in case, reject relay attempts from untrusted networks
 #
 name.surn...@domain.com permit_mynetworks, reject_unauth_destination
 john@domain.com permit_mynetworks, reject_unauth_destination
 andrew.wh...@domain.com permit_mynetworks, reject_unauth_destination

-- 
Viktor.

Re: postfix for IoT

2020-01-20 Thread Allen Coates 



On 20/01/2020 02:31, Viktor Dukhovni wrote:
> On Mon, Jan 20, 2020 at 08:38:46AM +0800, Wesley Peng wrote:
> 
>> How to compile postfix into the  Embedded operating system (such as the
>> home router) and make it as a mail gateway for  Smart home appliances?
> 
> Most embedded systems are not sufficiently capable of running Postfix,
> nor would I recommend queueing email on an embedded router.
> 
> You can forward (DNAT) the relevant ports to a real computer.

Synology NAS boxes can run a Postfix/Dovecot system very nicely - even webmail
and RADIUS, if you want them.  I suppose other NAS boxes will do something very
similar, but I have no direct knowledge.

hope this helps.

Allen C

Re: Allow relay from certain IPs AND allow only certain senders

2020-01-20 Thread Vu Ngoc VU 

Date: Mon, 20 Jan 2020 11:00:11
From: Viktor Dukhovni 
Reply-To: postfix-users@postfix.org
To: postfix-users@postfix.org
Subject: Re: Allow relay from certain IPs AND allow only certain senders



# Also, no relaying by unauthorized senders
smtp_sender_restrictions =
check_sender_access hash:/etc/postfix/allowed_senders,
reject_unauth_destination


Hello, should it be smtpd_sender_restrictions?

Re: postfix for IoT

2020-01-20 Thread Mauricio Tavares 
On Sun, Jan 19, 2020 at 7:40 PM Wesley Peng  wrote:
>
> How to compile postfix into the  Embedded operating system (such as the home 
> router) and make it as a mail gateway for  Smart home appliances?
>
  Main issue I have here is your router has a very important job
to do (routing traffic) and you now are asking it to also do a rather
demanding job (mail). If I were in your shoes, I would invest in
either creating a container/virtual host or grabbing something on the
size/cost/power of a raspberry pi and make that the mail server. Now,
even if for some reason the internal mail server gets bogged down,
your router (and connection to the outside and your other internal
devices) will not be affected (in principle, because there is always
DOS). Also, router updates will then be decoupled with the mail server
ones.

Divide and Conquer.
>
> Thank you.

Re: postsuper manpage: message expiration

2020-01-20 Thread Emanuel 

Thanks.!! the option is very useful.

Regards,

El 18/1/20 a las 21:45, Wietse Venema escribió:

I'm adding a new field to the Postfix queue file that says if a
message was forcibly expired. The field is set with the postsuper
command, using syntax that is similar to other postsuper commands.

The new option behaves like 'delete' except of course that it sets
a flag in a file instead of deleting it.

-e queue_id
   Expire  one  message  with  the named queue ID in the named mail
   queue(s) (default: hold, incoming, active and deferred).

   This only marks the message as  expired.  The  message  will  be
   returned  to  the  sender  when  the  queue manager opens it for
   delivery (but mail in the  hold  queue  stays  in  that  queue).
   Deferred  messages  are  returned with the actual reason for the
   delay; other messages are returned with the reason  "5.7.0  mes-
   sage is administratively expired".

   To  expire multiple files, specify the -e option multiple times,
   or specify a queue_id of - to read queue IDs from standard input
   (see the -d option for an example).

As implemented, this does not release a file from 'hold'. It only
sets a flag in a queue file. That is the purist approach. However
I suspect that some people would not want to have to say

To delete one file:
postsuper -e queueid -H queueid

To delete a bunch of files:
postqueue -pj | script | postsuper -e -
postqueue -pj | script | postsuper -H -

If the intent of expiration is to make messages 'go away' then it
makes sense that '-e' automagically un-holds a message, so that the
queue manager can return it as undeliverable.

Wietse

--
envialosimple.com   
Emanuel Gonzalez
IT / Departamento Emails
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.

Re: postfix for IoT

2020-01-20 Thread Wesley Peng 
Hello

Thanks all answers for kind info.
My requirement is, for example, when refrigerator found there were no food
in itself, it will send an email to remind the people.
But refrigerator may not connect to internet directly, only home router
have direct access to internet.
So how to implement this mail sending feature?

Thanks.


On Mon, Jan 20, 2020 at 8:06 PM Mauricio Tavares 
wrote:

> On Sun, Jan 19, 2020 at 7:40 PM Wesley Peng  wrote:
> >
> > How to compile postfix into the  Embedded operating system (such as the
> home router) and make it as a mail gateway for  Smart home appliances?
> >
>   Main issue I have here is your router has a very important job
> to do (routing traffic) and you now are asking it to also do a rather
> demanding job (mail). If I were in your shoes, I would invest in
> either creating a container/virtual host or grabbing something on the
> size/cost/power of a raspberry pi and make that the mail server. Now,
> even if for some reason the internal mail server gets bogged down,
> your router (and connection to the outside and your other internal
> devices) will not be affected (in principle, because there is always
> DOS). Also, router updates will then be decoupled with the mail server
> ones.
>
> Divide and Conquer.
> >
> > Thank you.
>

Re: postfix for IoT

2020-01-20 Thread Sven Schwedas 
On 20.01.20 13:14, Wesley Peng wrote:
> Hello
> 
> Thanks all answers for kind info.
> My requirement is, for example, when refrigerator found there were no
> food in itself, it will send an email to remind the people.
> But refrigerator may not connect to internet directly, only home router
> have direct access to internet.
> So how to implement this mail sending feature?

Neither a router nor an IoT device are appropriate for acting as MTA, as
they will trigger every single spamfilter in existence.

Options:

• Use an SMTP client library to connect to some proper mail server. That
can be one run by you, or if you really hate your support personnel, you
can allow users to configure their own emailing (gmail etc.)

• Have a backend somewhere on a server that handles emailing for the
device, or directly plug the device into something like Mailgun or
Mandrill, using HTTPS APIs in either case, to re-implement option 1 in a
less elegant but more "modern" manner. #yolo #webdev #brogramming




signature.asc
Description: OpenPGP digital signature

Re: postfix for IoT

2020-01-20 Thread Jaroslaw Rafa 
Dnia 20.01.2020 o godz. 20:14:48 Wesley Peng pisze:
> 
> Thanks all answers for kind info.
> My requirement is, for example, when refrigerator found there were no food
> in itself, it will send an email to remind the people.
> But refrigerator may not connect to internet directly, only home router
> have direct access to internet.
> So how to implement this mail sending feature?

Port forwarding on router from internal network to your actual mail server
would be enough.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

build failure with gcc-10

2020-01-20 Thread Eray Aslan 
: *** [Makefile:208: libpostfix-global.so] Error 1
make: *** [Makefile:100: update] Error 1

the following seems to be the problem:
# grep "multiple definition" 
/var/log/portage/mail-mta\:postfix-3.5_pre20200112\:20200120-133517.log | cut 
-d" " -f6 | sort | uniq -c
171 `var_tlsp_clnt_enforce_tls';
171 `var_tlsp_clnt_level';
171 `var_tlsp_clnt_per_site';
171 `var_tlsp_clnt_policy';
171 `var_tlsp_clnt_use_tls';

-- 
Eray

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85678

Re: postfix for IoT

2020-01-20 Thread Wietse Venema 
W. Michael Petullo:
> > How to compile postfix into the
> > Embedded operating system (such as the home router) and make it as a mail 
> > gateway
> 
> > for Smart home appliances?
> 
> OpenWrt provides a postfix package. See https://openwrt.org/.

OpenWrt has broken the code that measures the amount of available
space for the mail queue. The Postfix SMTP server uses this to
decide if it can receive a message.

https://github.com/openwrt/packages/issues/9970

This bug was closed in November 2019.

I suppose you can't run Postfix on an internal NAS system?

Wietse

Re: build failure with gcc-10

2020-01-20 Thread Wietse Venema 
Eray Aslan:
> gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in
> the following errors while building postfix-3.5-20200112.  Simple
> reproducer on an older gcc is to add -fno-common to CFLAGS.

Try this.

Wietse

diff -ur /var/tmp/postfix-3.5-20200112/src/global/mail_params.h 
./src/global/mail_params.h
--- /var/tmp/postfix-3.5-20200112/src/global/mail_params.h  2019-12-01 
09:58:23.0 -0500
+++ ./src/global/mail_params.h  2020-01-20 10:36:50.0 -0500
@@ -3983,23 +3983,23 @@
 
 #define VAR_TLSP_CLNT_USE_TLS  "tlsproxy_client_use_tls"
 #define DEF_TLSP_CLNT_USE_TLS  "$" VAR_SMTP_USE_TLS
-boolvar_tlsp_clnt_use_tls;
+extern bool var_tlsp_clnt_use_tls;
 
 #define VAR_TLSP_CLNT_ENFORCE_TLS  "tlsproxy_client_enforce_tls"
 #define DEF_TLSP_CLNT_ENFORCE_TLS  "$" VAR_SMTP_ENFORCE_TLS
-boolvar_tlsp_clnt_enforce_tls;
+extern bool var_tlsp_clnt_enforce_tls;
 
 #define VAR_TLSP_CLNT_LEVEL"tlsproxy_client_level"
 #define DEF_TLSP_CLNT_LEVEL"$" VAR_SMTP_TLS_LEVEL
-char   *var_tlsp_clnt_level;
+extern char *var_tlsp_clnt_level;
 
 #define VAR_TLSP_CLNT_PER_SITE "tlsproxy_client_per_site"
 #define DEF_TLSP_CLNT_PER_SITE "$" VAR_SMTP_TLS_PER_SITE
-char   *var_tlsp_clnt_per_site;
+extern char *var_tlsp_clnt_per_site;
 
 #define VAR_TLSP_CLNT_POLICY   "tlsproxy_client_policy"
 #define DEF_TLSP_CLNT_POLICY   "$" VAR_SMTP_TLS_POLICY
-char   *var_tlsp_clnt_policy;
+extern char *var_tlsp_clnt_policy;
 
  /*
   * SMTPD "reject" contact info.

Re: build failure with gcc-10

2020-01-20 Thread Eray Aslan 
On Mon, Jan 20, 2020 at 10:38:09AM -0500, Wietse Venema wrote:
> Eray Aslan:
> > gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in
> > the following errors while building postfix-3.5-20200112.  Simple
> > reproducer on an older gcc is to add -fno-common to CFLAGS.
> 
> Try this.

Works.  Thank you

-- 
Eray

Re: build failure with gcc-10

2020-01-20 Thread Eray Aslan 
On Mon, Jan 20, 2020 at 06:57:34PM +0300, Eray Aslan wrote:
> On Mon, Jan 20, 2020 at 10:38:09AM -0500, Wietse Venema wrote:
> > Eray Aslan:
> > > gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in
> > > the following errors while building postfix-3.5-20200112.  Simple
> > > reproducer on an older gcc is to add -fno-common to CFLAGS.
> > 
> > Try this.
> 
> Works.  Thank you

Problem report to patch (trivial or not): ~20 minutes.  This is amazing.
There are probably some lessons to be learned here - just a thought for
when/if you are looking for something else to share.

Thanks again
-- 
Eray

Re: build failure with gcc-10

2020-01-20 Thread Wietse Venema 
Eray Aslan:
> On Mon, Jan 20, 2020 at 06:57:34PM +0300, Eray Aslan wrote:
> > On Mon, Jan 20, 2020 at 10:38:09AM -0500, Wietse Venema wrote:
> > > Eray Aslan:
> > > > gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in
> > > > the following errors while building postfix-3.5-20200112.  Simple
> > > > reproducer on an older gcc is to add -fno-common to CFLAGS.
> > > 
> > > Try this.
> > 
> > Works.  Thank you
> 
> Problem report to patch (trivial or not): ~20 minutes.  This is amazing.
> There are probably some lessons to be learned here - just a thought for
> when/if you are looking for something else to share.

Don't make too much of that. Today is a holiday.

Wietse