Re: smtpd_recipient_restrictions sequence
Hi Noel, many thanks for reply. So if I need restrict sending to some recipients that are exactly in mynetworks (this postfix instance relays email to other email-application on the same host) I have to put check_recipient_access regexp:/etc/postfix/recipient.regexp before permit_mynetworks but have to warn any other admins do not place any OK rules in /etc/postfix/recipient.regexp? I do understand that it is bad practice drop silently any email.. but I just need prevent sending auto-replies (NDR) from this "other" email-application to received "out of office" from remote hosts (legitimate users)... (too much useless email: backscatter(s) ---> entire world sends "out of office"---> to my "other" email-application via my postfix --> email-application sends NDR back to entire world as postmaster --> entire world sends "out of office" to my postmaster.. %) cool.. ) Tatiana On Fri, Aug 14, 2009 at 10:22 AM, Noel Jones wrote: > taphy wrote: >> >> Hi all, >> I'm not so experienced in dealing with postfix unfortunately and not sure >> if >> I'm not breaking something in my security with applying next >> smtpd_recipient_restrictions & etc (warn_if_reject - for testing period >> only, will remove it later): >> >> unknown_local_recipient_reject_code = 450 >> smtp_use_tls = yes >> smtpd_use_tls = no >> smtpd_tls_key_file = /etc/postfix/TLS/myhost.key >> smtpd_tls_cert_file = /etc/postfix/TLS/myhost.crt.selfsigned >> smtpd_tls_CAfile = /etc/postfix/TLS/myhost.crt.selfsigned >> smtpd_tls_loglevel = 2 >> smtpd_tls_received_header = yes >> >> smtpd_sender_restrictions = >> permit_mynetworks, >> check_sender_access hash:/etc/postfix/sender_checks, >> >> smtpd_recipient_restrictions = >> warn_if_reject check_recipient_access >> regexp:/etc/postfix/recipient.regexp, >> permit_mynetworks, >> reject_unauth_destination, > > your check_recipient_access map should go right here, just after > reject_unauth_destination. This prevents accidental open relay if you put > an OK in that file. > >> warn_if_reject reject_unknown_sender_domain, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client bl.spamcop.net, >> permit >> smtpd_helo_restrictions = warn_if_reject >> reject_invalid_hostname, >> smtpd_require_helo = yes >> default_destination_concurrency_limit = 10 >> default_process_limit = 50 >> >> in /etc/postfix/sender_checks: >> myhost.myfirstdomain.net REJECT >> localhost REJECT >> >> in /etc/postfix/recipient.regexp something like that (real regexp works >> ok, >> no problem): >> >> !/(^postmaster|^support|^(\+)?[0-9]+)@myseconddomain|(.*)@(myhost\.)?myfirstdomain/ >> 550 illegal recipient >> >> questions: >> How does check_recipient_access work in case of no matches for message >> were >> found in /etc/postfix/recipient.regexp: will such message be considered as >> ok and sent to recipient immediately or will pass further through the >> rest >> chain of rules in smtpd_recipient_restrictions? > > If no match is found, the next restriction in your list is tried. In your > above example, that would be permit_mynetworks. > >> Also I still have no clear understanding what does permit_mynetworks >> exactly mean in the context of smtpd_recipient_restrictions - is it >> allowance to >> send TO any of my networks or send FROM any of my networks? (in other >> words is "mynetworks" = sender or "mynetworks"= rcpt here) > > Any client IP listed in mynetworks will skip the rest of > smtpd_recipient_restrictions. This is independent of sender or recipient, > but based solely on the client IP. > >> >> the last question ( :) sorry for asking a lot ) - can I just silently drop >> messages with /etc/postfix/recipient.regexp without sending anything back >> to unsuccessful sender? > > You can, but generally this is considered bad practice. > REJECT should be sufficient for the vast majority of cases. Use DISCARD if > you want to accept a message and silently discard it. Note this affects all > recipients of a multi-recipient message. > > -- Noel Jones >
Re: smtpd_recipient_restrictions sequence
Joel, hi again Also question: "Use DISCARD if you want to accept a message and silently discard it. Note this affects ALL recipients of a multi-recipient message." How exactly postfix deals with multi-recipient messages? Are there any differences from simple telnet smtp session where I send multiple "rcpt to: " ? I've tested this rule actually with telnet and have got next results: (this was test environment where all rcpts aliased to taphy, except of - `123 does not exist at all, aaa55 existing local user. Legal messages were sent without warnings, but only those which illegal were warned) postfix/smtpd[11264]: connect from unknown[192.168.11.1] postfix/smtpd[11264]: 763CA481D0: client=unknown[192.168.11.1] postfix/smtpd[11264]: 763CA481D0: reject_warning: RCPT from unknown[192.168.11.1]: 550 : Recipient address rejected: illegal recipient; from= to= proto=SMTP helo= postfix/smtpd[11264]: 763CA481D0: reject_warning: RCPT from unknown[192.168.11.1]: 550 : Recipient address rejected: illegal recipient; from= to= proto=SMTP helo= postfix/smtpd[11264]: 763CA481D0: reject_warning: RCPT from unknown[192.168.11.1]: 550 <`...@myseconddomain.net>: Recipient address rejected: illegal recipient; from= to=<`...@myseconddomain.net> proto=SMTP helo= postfix/smtpd[11264]: 763CA481D0: reject: RCPT from unknown[192.168.11.1]: 450 <`...@myseconddomain.net>: User unknown in local recipient table; from= to=<`...@myseconddomain.net> proto=SMTP helo= postfix/cleanup[11266]: 763CA481D0: message-id=<20090813024521.763ca48...@myseconddomain.net> postfix/nqmgr[11263]: 763CA481D0: from=, size=325, nrcpt=7 (queue active) postfix/local[11271]: 763CA481D0: to=, relay=local, delay=75, status=sent (mailbox) postfix/local[11270]: 763CA481D0: to=, orig_to=<1...@myseconddomain.net>, relay=local, delay=75, status=sent (mailbox) postfix/local[11268]: 763CA481D0: to=, orig_to=<+...@myseconddomain.net>, relay=local, delay=76, status=sent (mailbox) postfix/local[11272]: 763CA481D0: to=, orig_to=, relay=local, delay=76, status=sent (mailbox) postfix/local[11269]: 763CA481D0: to=, orig_to=<12...@myseconddomain.net>, relay=local, delay=76, status=sent (mailbox) postfix/local[11274]: 763CA481D0: to=, relay=local, delay=77, status=sent (mailbox) postfix/local[11273]: 763CA481D0: to=, orig_to=, relay=local, delay=77, status=sent (mailbox)
Re: smtpd_recipient_restrictions sequence
Noel, many thanks a lot for information, much better now Tatiana On Fri, Aug 14, 2009 at 11:41 AM, Noel Jones wrote: > tatiana philippova wrote: >> >> Joel, hi again >> >> Also question: >> "Use DISCARD if you want to accept a message and silently discard it. >> Note this affects ALL recipients of a multi-recipient message." >> >> How exactly postfix deals with multi-recipient messages? Are there >> any differences from simple telnet smtp session where I send multiple >> "rcpt to: " ? > > DISCARD always affects all recipients of a multi-recipient message. Postfix > will indicate the message has been accepted, then later silently discard it. > > REJECT usually affects only the "current" recipient of a multi-recipient > message, but this behavior can be affected by which smtpd_*_restrictions > section the REJECT appears in, and the setting of smtpd_delay_reject. > > See the archives and postfix docs for further details. > > -- Noel Jones >
