[opensuse] Post Restrict local.domain.com to local.domain.com ::ffff:ip (OpenSUSE 10.2)
Hello,
I have a complete forward and reverse DNS setup for local.domain.com and I
am trying to restrict all 192.168.x.x addresses. I am using in main.cf
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_only, reject
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions =
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders,
permit_sasl_authenticated,permit_mynetworks,check_relay_domains
and local_only has all 64770 entries below.
192.168.0.1 OK
192.168.0.2 OK
...
192.168.255.253 OK
192.168.255.254 OK
I am seeing in the log.
Aug 22 16:34:57 domain amavis[28466]: (28466-01) Passed CLEAN, [192.168.56.137]
Boyd Lynn Gerber wrote:
Hello,
I have a complete forward and reverse DNS setup for local.domain.com and I am trying to restrict all 192.168.x.x addresses. I am using in main.cf
smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/local_only, reject smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders, permit_sasl_authenticated,permit_mynetworks,check_relay_domains
and local_only has all 64770 entries below.
192.168.0.1 OK 192.168.0.2 OK ... 192.168.255.253 OK 192.168.255.254 OK
Looks like scrambled eggs. (^-^) A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict. Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains? In that case you would use something like this: smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination .... /etc/postfix/clients_local_only: 192.168.0.0/16 local_only The check_client_access MUST NOT return OK because that would allow the client to relay (in the order of checks it appears before reject_unauth_destination can restrict the destination). -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 23 Aug 2007, Sandy Drobic wrote:
Looks like scrambled eggs. (^-^)
Sadly, yes
A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict.
Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains?
Yes, 192.168.0.0/16 only can send between 192.168.0.0/16
In that case you would use something like this:
smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
/etc/postfix/clients_local_only: 192.168.0.0/16 local_only
That is what I have now, but they can send outside of 192.168.x.x The
access file I have modified to also have the local_only This is my
main.cf file.
----------------------------------Main.cf-------------------------------
recipient_delimiter = +
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = /usr/share/doc/packages/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = domain.domain.com
program_directory = /usr/lib/postfix
inet_interfaces = all
masquerade_domains = domain.com
mydestination = domain.com, $myhostname, localhost.$mydomain, mail.domain.com
defer_transports =
mynetworks_style = subnet
disable_dns_lookups = no
relayhost =
mailbox_command =
mailbox_transport =
strict_8bitmime = no
disable_mime_output_conversion = no
strict_rfc821_envelopes = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000
smtpd_restriction_classes = local_only
local_only =
reject_unlisted_recipient
permit_auth_destination
smtpd_recipient_restrictions =
check_client_access cidr:/etc/postfix/clients_local_only
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
header_checks = regexp:/etc/postfix/maps/header_checks
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks
body_checks = regexp:/etc/postfix/maps/body_checks
----------------------------------Main.cf-------------------------------
--
Boyd Gerber
Boyd Lynn Gerber wrote:
On Thu, 23 Aug 2007, Sandy Drobic wrote:
Looks like scrambled eggs. (^-^)
Sadly, yes
A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict.
Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains?
Yes, 192.168.0.0/16 only can send between 192.168.0.0/16
In that case you would use something like this:
smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination
My bad... local_only = reject_unlisted_recipient permit_auth_destination reject
smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
/etc/postfix/clients_local_only: 192.168.0.0/16 local_only
That is what I have now, but they can send outside of 192.168.x.x The access file I have modified to also have the local_only This is my main.cf file.
No wonder, I forgot to add "reject" at the end of the restriction class. This will reject all mails to domains for which your server is not responsible, in other words, no relaying allowed. While it is possible to check the MX for a domain (check_recipient_mx_access), for security reasons you can't use "OK" as result for such a check. But "permit_auth_destination" should do the trick.
----------------------------------Main.cf-------------------------------
Better send the output of "postconf -n", it is much more readable. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 24 Aug 2007, Sandy Drobic wrote:
Boyd Lynn Gerber wrote:
On Thu, 23 Aug 2007, Sandy Drobic wrote:
Looks like scrambled eggs. (^-^)
Sadly, yes
A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict.
Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains?
Yes, 192.168.0.0/16 only can send between 192.168.0.0/16
In that case you would use something like this:
smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination
My bad...
local_only = reject_unlisted_recipient permit_auth_destination reject
This Solved the problem.
--
Boyd Gerber
Boyd Lynn Gerber wrote:
On Fri, 24 Aug 2007, Sandy Drobic wrote:
local_only = reject_unlisted_recipient permit_auth_destination reject
This Solved the problem.
The difference to "reject_unauth_destination" is, that permit_auth_destination will stop the evaluation of the checks and permit the requests while reject_unauth_destination (like mouss suggested) will only reject relay attempts and otherwise continue with the checks behind reject_unauth_destination. So the mail could still be rejected for other reasons like greylisting, RBLs etc. It is also the reason why I suggested reject_unlisted_recipient first to make sure that the recipient is valid before accepting the mail with permit_auth_destination. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Boyd Lynn Gerber
-
Sandy Drobic