[pfx] Restrict Sender Domain for Relay

2024-09-13 Thread Dan Lists via Postfix-users 
I have a small email relay server that is used to allow IOT devices to send
email.  Some of those devices do not do authentication.   I'd like to
restrict the sender domain based on the IP.

I'm looking for something like smtpd_sender_login_maps, but for client IPs.

Example of a smtpd_sender_login_maps:

/@domain.tld/   account   # Only 'account' can send email from @domain.tld

Example of what I'm looking for:

/@domain.tld/1.2.3.4,5.6.7.8  # Only list IPs can send email as
@domain.tld.


Bonus point if the solution can take CIDR notation in additions to IPs

I've been re-reading the documents, but I don't see how to do this.

Does anyone know how to do this?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Restrict Sender Domain for Relay

2024-09-13 Thread Dan Lists via Postfix-users 
On Fri, Sep 13, 2024 at 10:50 AM Wietse Venema via Postfix-users <
postfix-users@postfix.org> wrote:

> Dan Lists via Postfix-users:
> > I have a small email relay server that is used to allow IOT devices to
> send
> > email.  Some of those devices do not do authentication.   I'd like to
> > restrict the sender domain based on the IP.
> >
> > I'm looking for something like smtpd_sender_login_maps, but for client
> IPs.
>
> There is no IP-based analogon for smtpd_sender_login_mapss,
> due to lack of demand.
>
> If you don't have a huge number of such IP addresses, perhaps a
> plugin with https://www.postfwd.org/ can do this.
>
> main.cf:
> smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:12345
>
> Make sure that this will not affect the services for submission
> (port 587) and submissions (port 465) in master.cf. They should
> look like:
>
> master.cf:
> submission inet n   -   n   -   -   smtpd
> ...
> -o smtpd_sender_restrictions=
> ...
> submissions inet n   -   n   -   -   smtpd
> ...
> -o smtpd_sender_restrictions=
> ...
>
> Alternatively, milter-regex may be able to do this.
>
> Wietse
>

Thanks for the information.

I was hoping to avoid using a policy daemon.I'll have a look at postfwd
and milter-regex.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Restrict Sender Domain for Relay

2024-09-16 Thread Dan Lists via Postfix-users 
On Fri, Sep 13, 2024 at 10:22 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

> On Fri, Sep 13, 2024 at 10:29:21AM -0500, Dan Lists via Postfix-users
> wrote:
>
> > I have a small email relay server that is used to allow IOT devices to
> send
> > email.  Some of those devices do not do authentication.   I'd like to
> > restrict the sender domain based on the IP.
>
> How many distinct sender domains are in scope?  If it is just a small
> handful, you can restriction classes:
>
> main.cf:
> smtpd_restriction_classes =
> require_sender_domain_a,
> require_sender_domain_b,
> require_sender_domain_c
>
> smtpd_client_restrictions =
> check_client_access cidr:{
> {192.0.2.1/32   require_sender_domain_a}
> {192.0.2.2/32   require_sender_domain_b}
> {192.0.2.3/32   require_sender_domain_c}
> ...
> }
>
> # Be meticulous with the PCRE syntax, ensuring the trailing '$'
> # anchor, leading '@' domain prefix, and escaping literal '.'
> # with '\'.  You can use "regexp" rather than "pcre" if that's
> # more convenient.  The syntax below is common to both.
> #
> require_sender_domain_a =
> check_sender_access pcre:{
> {if !/@a\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
> require_sender_domain_b =
> check_sender_access pcre:{
> {if !/@b\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
> require_sender_domain_c =
> check_sender_access pcre:{
> {if !/@c\.example$/}
> {/^/ REJECT for some reason}
> {endif}
> }
>
> > /@domain.tld/1.2.3.4,5.6.7.8  # Only list IPs can send email as
> > @domain.tld.
>
> You probably have more IPs than sender domains, and the latter are
> typically less volatile than the IPs, so with restriction classes, it
> makes more sense to map IPs to allowed domains, than domains to allowed
> IPs.
>
> --
> Viktor.
>

Thanks, that is some cool voodoo!

We have 8 domains currently and about 25 IPs and CIDR blocks.   The inline
tables would make this fairly manageable.

It looks like if an IP isn't in check_client_access but is allowed to relay
then that IP could send as whoever they like.  All IPs that relay would
have to be in check_client_access.

Could this be reversed?

smtpd_client_restrictions =
   check_sender_access: pcre:{
  /@a\.example$/  check_client_access_a
   }

  check_client_access_a =
   check_client_access cidr: {
  192.168.1.0/24 DUNNO
  192.168.2.0/24 DUNNO
  0.0.0.0/0   REJECT Relay access denied
  }
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org