Very selective relay

[Marek Kozlowski]

:-)
I've been asked a very strange question. According to the best of my 
knowledge there is no setting but maybe I'm wrong:


Is it possible the define a very selective relay according to the 
following pseudo code:


/* a, b and c are set to some single values */
if (client's_IP==a)
if (MAIL_FROM==b)
if (RCPT_TO==c)
then relay=OK
relay=reject

Best regards,
Marek



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Very selective relay

[Wietse Venema]

Marek Kozlowski:
> :-)
> I've been asked a very strange question. According to the best of my 
> knowledge there is no setting but maybe I'm wrong:
> 
> Is it possible the define a very selective relay according to the 
> following pseudo code:
> 
> /* a, b and c are set to some single values */
> if (client's_IP==a)
>  if (MAIL_FROM==b)
>  if (RCPT_TO==c)
>  then relay=OK
> relay=reject

www.postfwd.org

Wietse

smtp_sender_restrictions

[Janis]

Hello,

This is my first question to mailing list, so i hope i get this right.

I think it is better to describe general architecture first and then 
what i am trying to achieve.


This Postfix instance is configured to use Dovecot SASL for LOGIN 
function and permissions. That part works. SASL auth is configured so 
that username is an email address. Only virtual mailboxes are used, but 
in this instance it is not that important, since the question is only 
about outgoing mail restrictions.


The problem is that authenticated senders can send "mail from" from 
whatever they please if i do not place any restrictions. Thus i decided 
to use:

smtp_sender_restrictions = reject_sender_login_mismatch

It limits "mail from" as expected, but the problem is that i must 
"duplicate" kind of what i already have in Dovecot user database in 
$smtpd_sender_login_maps file. I am using hash type for 
$smtpd_sender_login_maps. It works very well with allowing to use "alias 
e-mail" address as "mail from" as well.


What i would like to achieve is to permit sender to set "mail from" the 
same value as his SASL auth username or some specially allowed "alias 
e-mail" addresses that are defined somewhere. For example, if user1 is 
allowed to respond for his company, he would authenticate as 
us...@domain.tld and could set "mail from" 1) us...@domain.tld or 2) 
i...@domain.tld.


I can achieve this at the moment by writing both lines in login_maps 
file, but it feels kind of wrong way to do things. Is there a way not to 
duplicate Dovecot usernames and permit 1st case restriction in "mail 
from" something like permit_sasl_username_as_mail_from?


I was looking directly at 
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but 
none of the options seemed right for this use case. Maybe if i scratched 
my head a bit, i could come up with some "tricky" SQL query as a 
workaround and use reject_sender_login_mismatch, but maybe i have just 
overlooked some simple setting, thus i ask for any input.


Thank you!

Best wishes,
Janis

Re: Very selective relay

[Viktor Dukhovni]

On Fri, Sep 18, 2020 at 11:50:02AM +0200, Marek Kozlowski wrote:

> I've been asked a very strange question. According to the best of my 
> knowledge there is no setting but maybe I'm wrong:
> 
> Is it possible the define a very selective relay according to the 
> following pseudo code:
> 
> /* a, b and c are set to some single values */
> if (client's_IP==a)

smtpd_client_restrictions =
permit_auth_destination,
check_client_access inline:{ a=OK },
reject

>  if (MAIL_FROM==b)

smtpd_sender_restrictions =
permit_auth_destination,
check_sender_access inline:{ b=OK },
reject

>  if (RCPT_TO==c)

smtpd_recipient_restrictions =
permit_auth_destination,
check_recipient_access inline:{ c=OK },
reject

-- 
Viktor.

Re: Relay delivery rules based on sender email

[Viktor Dukhovni]

On Wed, Sep 16, 2020 at 02:56:47AM +, MichaelV wrote:

> Can you please explain who to define delivery rules to relay messages
> to two different  mail servers based on senders email format.
> 
> relay rules to be configured:
> 
> rule1
> anything going to *@mycompany.org relay to:  
> mycompany.mail.protection.outlook.com:25
> 
> rule2
> anything coming from *@notifications.mycompany.org relay to 
> smtp.domain2.com:587
> 
> rule3
> not from from *@mycompany.org, or *@notifications.company.org, going to 
> external recipients relay to mycompany.mail.protection.outlook.com:25

This can be accomplished with sender_dependent_default_transport_maps:

1.  main.cf:
indexed = ${default_database_type}:${config_directory}/
transport_maps = ${indexed}transport

transport:
mycompany.org smtp:mycompany.mail.protection.outlook.com

2.  main.cf:
sender_dependent_default_transport_maps = ${indexed}sender-transport

sender-transport:
notifications.mycompany.org smtp:smtp.domain2.com:587

3.  main.cf:
default_transport = smtp:mycompany.mail.protection.outlook.com

Good luck.

-- 
Viktor.

Re: postfix and MX

[@lbutlr]

> On 17 Sep 2020, at 19:11, Viktor Dukhovni  wrote:
> 
>> On Sep 17, 2020, at 9:30 PM, @lbutlr  wrote:
>> 
>> This may have changed, but I doubt it. If you do not have MX records
>> there are definitely mail servers out there that will not send mail
>> to you. Exchange for one at least used to refuse to deliver mail without
>> an MX record. I don't know if this is still the case as I am thankfully
>> at least 5 years from having to deal with anyone on Exchange server.
> 
> RFC 5321 was published 2008:

Oh, I am not saying they are right or compliant with the RFCs, but it 
absolutely does happen that some servers will not send mail without an MX 
record.

> dates back to April 201.  I would expect that 19 years is sufficient time
> for the news to have reached Redmond, WA.

Perhaps, but it was no the case in … checks 2014 when dealing with a Exchange 
Server of unknown version.

IIRC, craigslist also will not send emails to email addresses without MX 
records, but craigslist has many issues sending mail, so I may be remembering 
something else.

-- 
Last night I stayed up late playing poker with Tarot cards. I got a
full house and four people died.

Re: postfix and MX

[@lbutlr]

On 17 Sep 2020, at 19:24, Amari CH  wrote:
> Do you think if email will go to death in short future?

No, but it’s importance is already far less than it used to be. My kids (early 
18 and 23) rarely check their email (a couple of times a week, and only if they 
are expecting something important) and that behavior is mirrored by their peers.

Even I use email far less than I used to, and nearly no personal communication 
happens over email anymore. Generally I get list mail, receipts for purchases, 
login verifications, status messages from servers, and that’s about it.

-- 
"Are you pondering what I'm pondering?"
"Uh, I think so Brain, but how are we gonna teach a goat to dance
with flippers on?"

Re: postfix and MX

[Antonio Leding]

It’s important to differentiate between personal and professional use. 
 In the former, I agree email’s relevance & importance is diminishing 
largely due to social media and IM platforms.  But in the latter case, 
email will be with us for quite a long while…


- - -

On 18 Sep 2020, at 10:04, @lbutlr wrote:


On 17 Sep 2020, at 19:24, Amari CH  wrote:

Do you think if email will go to death in short future?


No, but it’s importance is already far less than it used to be. My 
kids (early 18 and 23) rarely check their email (a couple of times a 
week, and only if they are expecting something important) and that 
behavior is mirrored by their peers.


Even I use email far less than I used to, and nearly no personal 
communication happens over email anymore. Generally I get list mail, 
receipts for purchases, login verifications, status messages from 
servers, and that’s about it.


--
"Are you pondering what I'm pondering?"
"Uh, I think so Brain, but how are we gonna teach a goat to dance
with flippers on?"

Re: smtp_sender_restrictions

[Viktor Dukhovni]

On Fri, Sep 18, 2020 at 07:01:26PM +0300, Janis wrote:

> What I would like to achieve is to permit sender to set "mail from" the 
> same value as his SASL auth username or some specially allowed "alias 
> e-mail" addresses that are defined somewhere. For example, if user1 is 
> allowed to respond for his company, he would authenticate as 
> us...@domain.tld and could set "mail from" 1) us...@domain.tld or 2) 
> i...@domain.tld.
> 
> I can achieve this at the moment by writing both lines in login_maps 
> file, but it feels kind of wrong way to do things. Is there a way not to 
> duplicate Dovecot usernames and permit 1st case restriction in "mail 
> from" something like permit_sasl_username_as_mail_from?
>
> I was looking directly at 
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but 
> none of the options seemed right for this use case.

Did you also look at:

?

That text reads in part:

Optional lookup table with the SASL login names that own the sender
(MAIL FROM) addresses.

Specify zero or more "type:name" lookup tables, separated by
--
whitespace or comma. Tables will be searched in the specified order
until a match is found. With lookups from indexed files such as DB
or DBM, or from networked tables such as NIS, LDAP or SQL, the
following search operations are done with a sender address of
user@domain: 

Therefore, you can use:

main.cf:
indexed = ${default_database_type}:${config_directory}/
pcre = pcre:${config_directory}/
smpd_sender_login_maps =
${pcre}same-as-sender.pcre,
${indexed}adhoc

same-as-sender.pcre:
# us...@example.org us...@example.org
/^(.*)$/$1

adhoc:
# All the users allowed to send as "info@..."
i...@example.org us...@example.org, us...@example.org, ...

> Maybe if i scratched 
> my head a bit, i could come up with some "tricky" SQL query as a 
> workaround and use reject_sender_login_mismatch, but maybe i have just 
> overlooked some simple setting, thus i ask for any input.

SQL can be a good option if it meshes well with the provisioning process
and the list of adhoc mappings is fairly dynamic.

-- 
Viktor.

Re: Send only configuration best practices?

[Viktor Dukhovni]

On Wed, Sep 16, 2020 at 04:39:12PM -0600, Bob Proulx wrote:

> What's the best configuration for a web server that does not receive
> mail but needs to send mail?

Send via a smarthost relay.  Use a valid envelope sender domain that
will receive (and, as appropriate, take note of) bounces.  Use a
valid "From" domain, but perhaps a "noreply" localpart.

For the header RFC2822.From localpart, you have a choice of either
silently discarding or rejecting mail to that address.  It is perhaps
more "friendly" to users who fail to notice the "noreply" localpart
to reject.

transport:
nore...@example.org error:5.1.1 This address does not receive email
nom...@example.org  discard:silently

The "nomail" variant is for silent discards, and is probably not what
you want in most cases, but is sometimes appropriate.

-- 
Viktor.

Re: smtp_sender_restrictions

[Wietse Venema]

Janis:
> Hello,
> 
> This is my first question to mailing list, so i hope i get this right.
> 
> I think it is better to describe general architecture first and then 
> what i am trying to achieve.
> 
> This Postfix instance is configured to use Dovecot SASL for LOGIN 
> function and permissions. That part works. SASL auth is configured so 
> that username is an email address. Only virtual mailboxes are used, but 
> in this instance it is not that important, since the question is only 
> about outgoing mail restrictions.
> 
> The problem is that authenticated senders can send "mail from" from 
> whatever they please if i do not place any restrictions. Thus i decided 
> to use:
> smtp_sender_restrictions = reject_sender_login_mismatch
> 
> It limits "mail from" as expected, but the problem is that i must 
> "duplicate" kind of what i already have in Dovecot user database in 
> $smtpd_sender_login_maps file. I am using hash type for 
> $smtpd_sender_login_maps. It works very well with allowing to use "alias 
> e-mail" address as "mail from" as well.

You could use regular expressions:

/etc/postfix/main.cf:
smtpd_sender_login_maps = pcre:/etc/postfix/sender_login

/etc/postfix/sender_login:
# each sender is 'owned' by the login with the same name.
/^(\S+@\S+)$/   $1

As long as the SASL login names are validated by trusted code,
this should be safe.

Wietse
> What i would like to achieve is to permit sender to set "mail from" the 
> same value as his SASL auth username or some specially allowed "alias 
> e-mail" addresses that are defined somewhere. For example, if user1 is 
> allowed to respond for his company, he would authenticate as 
> us...@domain.tld and could set "mail from" 1) us...@domain.tld or 2) 
> i...@domain.tld.
> 
> I can achieve this at the moment by writing both lines in login_maps 
> file, but it feels kind of wrong way to do things. Is there a way not to 
> duplicate Dovecot usernames and permit 1st case restriction in "mail 
> from" something like permit_sasl_username_as_mail_from?
> 
> I was looking directly at 
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but 
> none of the options seemed right for this use case. Maybe if i scratched 
> my head a bit, i could come up with some "tricky" SQL query as a 
> workaround and use reject_sender_login_mismatch, but maybe i have just 
> overlooked some simple setting, thus i ask for any input.
> 
> Thank you!
> 
> Best wishes,
> Janis
> 
> 
> 

Postfix stops accepting connections when primary dns is down.

[listserv . traffic]

I'm kind of baffled.
It's probably some really stupid issue that I'm going to hang my head in shame 
over, but I really can't wrap my head around it.

I've got a postfix box. It's accepting external mail fine. [And has been for 
some time.]
It's pointed at a couple of caching name-servers in the local network.
Lets call them NS1 NS2.
NS1 is primary and NS2 is secondary.

Recently I noticed that when NS1 is down, postfix won't accept mail.
Yet digs from postfix get handled by NS2 fine, while NS1 is down.
[Just a plain dig, which uses NS2, when NS1 is down. Like so; dig some.f.q.d.n 
- and the results come from NS2, not NS1.]

Yet, if I change things so NS2 is primary and NS1 is secondary and take down 
NS1, mail doesn't get interrupted. [And does if I take down NS2]

Can someone give me some places to look that might yield some results?

TIA
-Greg

Re: Postfix stops accepting connections when primary dns is down.

[Viktor Dukhovni]

On Fri, Sep 18, 2020 at 07:33:24PM -0700, listserv.traf...@sloop.net wrote:

> I've got a postfix box. It's accepting external mail fine. [And has been for 
> some time.]
> It's pointed at a couple of caching name-servers in the local network.
> Lets call them NS1 NS2.
> NS1 is primary and NS2 is secondary.
> 
> Recently I noticed that when NS1 is down, postfix won't accept mail.

Disable default domain suffixes in /etc/resolv.conf (and any copy in
/var/spool/postfix/etc if smtpd(8) is chrooted in master).

/etc/resolv.conf:
domain .
search .
...

> Yet digs from postfix get handled by NS2 fine, while NS1 is down.

Your forward and/or reverse zones may not be mirrored on the secondary,
or may be expiring too quickly.

-- 
Viktor.