[opensuse] Post Restrict local.domain.com to local.domain.com ::ffff:ip (OpenSUSE 10.2)
Hello, I have a complete forward and reverse DNS setup for local.domain.com and I am trying to restrict all 192.168.x.x addresses. I am using in main.cf smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/local_only, reject smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders, permit_sasl_authenticated,permit_mynetworks,check_relay_domains and local_only has all 64770 entries below. 192.168.0.1 OK 192.168.0.2 OK ... 192.168.255.253 OK 192.168.255.254 OK I am seeing in the log. Aug 22 16:34:57 domain amavis[28466]: (28466-01) Passed CLEAN, [192.168.56.137] <bk9729@domain.com> -> <gerberb@zenez.com>, Message-ID: <000001c7e50c$a763eae0$8938a8c0@Computer24>, mail_id: 3JJwAafw5Rhl, Hits: -4.147, 6911 ms Aug 22 16:34:57 domain postfix/smtp[28583]: AAED3A0C9A: to=<gerberb@zenez.com>, relay=127.0.0.1[127.0.0.1], delay=8, status=sent (250 2.6.0 Ok, id=28466-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as 858ACA0CED) Aug 22 16:34:57 domain postfix/qmgr[4201]: AAED3A0C9A: removed Aug 22 16:35:18 domain pop3d: Connection, ip=[::ffff:192.168.56.137] Aug 22 16:35:19 domain pop3d: LOGIN, user=bk9729, ip=[::ffff:192.168.56.137] Aug 22 16:35:19 domain pop3d: LOGOUT, user=bk9729, ip=[::ffff:192.168.56.137], top=0, retr=0, time=0 Aug 22 16:35:23 domain postfix/smtp[28583]: 858ACA0CED: to=<gerberb@zenez.com>, relay=zenez.com[166.70.62.2], delay=26, status=sent (250 2.0.0 Ok: queued as B04573F680) Aug 22 16:35:23 domain postfix/qmgr[4201]: 858ACA0CED: removed Aug 22 16:35:34 domain pop3d: Connection, ip=[::ffff:192.168.56.137] Aug 22 16:35:34 domain pop3d: LOGIN, user=bk9729, ip=[::ffff:192.168.56.137] Aug 22 16:35:34 domain pop3d: LOGOUT, user=bk9729, ip=[::ffff:192.168.56.137], top=0, retr=0, time=0 Aug 22 16:38:10 domain postfix/anvil[28580]: statistics: max connection rate 1/60s for (smtp:192.168.56.137) at Aug 22 16:34:44 Aug 22 16:38:10 domain postfix/anvil[28580]: statistics: max connection count 1 for (smtp:192.168.56.137) at Aug 22 16:34:44 Aug 22 16:38:10 domain postfix/anvil[28580]: statistics: max cache size 1 at Aug 22 16:34:44 So I think the problem is that postfix is comparing ::ffff:192.168.56.137 instead of 192.168.56.137. Or I may be missing something more. Any ideas on how to fix this. Thanks, -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Boyd Lynn Gerber wrote:
Hello,
I have a complete forward and reverse DNS setup for local.domain.com and I am trying to restrict all 192.168.x.x addresses. I am using in main.cf
smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/local_only, reject smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders, permit_sasl_authenticated,permit_mynetworks,check_relay_domains
and local_only has all 64770 entries below.
192.168.0.1 OK 192.168.0.2 OK ... 192.168.255.253 OK 192.168.255.254 OK
Looks like scrambled eggs. (^-^) A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict. Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains? In that case you would use something like this: smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination .... /etc/postfix/clients_local_only: 192.168.0.0/16 local_only The check_client_access MUST NOT return OK because that would allow the client to relay (in the order of checks it appears before reject_unauth_destination can restrict the destination). -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 23 Aug 2007, Sandy Drobic wrote:
Looks like scrambled eggs. (^-^)
Sadly, yes
A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict.
Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains?
Yes, 192.168.0.0/16 only can send between 192.168.0.0/16
In that case you would use something like this:
smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
/etc/postfix/clients_local_only: 192.168.0.0/16 local_only
That is what I have now, but they can send outside of 192.168.x.x The access file I have modified to also have the local_only This is my main.cf file. ----------------------------------Main.cf------------------------------- recipient_delimiter = + debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = maildrop html_directory = /usr/share/doc/packages/postfix/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/packages/postfix/samples readme_directory = /usr/share/doc/packages/postfix/README_FILES inet_protocols = all biff = no mail_spool_directory = /var/mail canonical_maps = hash:/etc/postfix/canonical virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_domains = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = domain.domain.com program_directory = /usr/lib/postfix inet_interfaces = all masquerade_domains = domain.com mydestination = domain.com, $myhostname, localhost.$mydomain, mail.domain.com defer_transports = mynetworks_style = subnet disable_dns_lookups = no relayhost = mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no strict_rfc821_envelopes = no alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 10240000 smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = yes smtpd_use_tls = yes smtp_use_tls = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom home_mailbox = Maildir/ header_checks = regexp:/etc/postfix/maps/header_checks mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks body_checks = regexp:/etc/postfix/maps/body_checks ----------------------------------Main.cf------------------------------- -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Boyd Lynn Gerber wrote:
On Thu, 23 Aug 2007, Sandy Drobic wrote:
Looks like scrambled eggs. (^-^)
Sadly, yes
A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict.
Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains?
Yes, 192.168.0.0/16 only can send between 192.168.0.0/16
In that case you would use something like this:
smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination
My bad... local_only = reject_unlisted_recipient permit_auth_destination reject
smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/clients_local_only permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
/etc/postfix/clients_local_only: 192.168.0.0/16 local_only
That is what I have now, but they can send outside of 192.168.x.x The access file I have modified to also have the local_only This is my main.cf file.
No wonder, I forgot to add "reject" at the end of the restriction class. This will reject all mails to domains for which your server is not responsible, in other words, no relaying allowed. While it is possible to check the MX for a domain (check_recipient_mx_access), for security reasons you can't use "OK" as result for such a check. But "permit_auth_destination" should do the trick.
----------------------------------Main.cf-------------------------------
Better send the output of "postconf -n", it is much more readable. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 24 Aug 2007, Sandy Drobic wrote:
Boyd Lynn Gerber wrote:
On Thu, 23 Aug 2007, Sandy Drobic wrote:
Looks like scrambled eggs. (^-^)
Sadly, yes
A restriction class in Postfix is meant to combine two different checks. I still don't really know what exactly you want to restrict.
Do you mean that you want to restrict all CLIENTS in 192.168.0.0/16 to send only to local domains?
Yes, 192.168.0.0/16 only can send between 192.168.0.0/16
In that case you would use something like this:
smtpd_restriction_classes = local_only local_only = reject_unlisted_recipient permit_auth_destination
My bad...
local_only = reject_unlisted_recipient permit_auth_destination reject
This Solved the problem. -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Boyd Lynn Gerber wrote:
On Fri, 24 Aug 2007, Sandy Drobic wrote:
local_only = reject_unlisted_recipient permit_auth_destination reject
This Solved the problem.
The difference to "reject_unauth_destination" is, that permit_auth_destination will stop the evaluation of the checks and permit the requests while reject_unauth_destination (like mouss suggested) will only reject relay attempts and otherwise continue with the checks behind reject_unauth_destination. So the mail could still be rejected for other reasons like greylisting, RBLs etc. It is also the reason why I suggested reject_unlisted_recipient first to make sure that the recipient is valid before accepting the mail with permit_auth_destination. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Boyd Lynn Gerber
-
Sandy Drobic