DevHeads.net

check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

Hi,

postfix is configured as relay server. Other systems relay with postfix.
Here i want to allow for a specific group of hosts, when they use a
specific mail from address only a few specific destination domains. Other
hosts should not be bothered. This is only a need to limit a group of hosts
to not accidentally send out mails to other domains.

smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/benachrichtigung
smtpd_restriction_classes = benachrichtigung
benachrichtigung = check_recipient_access hash:/etc/postfix/erlaubt, reject

/etc/postfix/benachrichtigung
<a href="mailto: ... at cubewerk dot de"> ... at cubewerk dot de</a> benachrichtigung

/etc/postfix/erlaubt
microsoft.com OK
aol.com OK
yahoo.com OK

That works and only allows mails with mail from:
<a href="mailto: ... at cubewerk dot de"> ... at cubewerk dot de</a> to above domains. How can i additionally say -
and only limit sending of mails to this 3 domains, if smtp connection is
from 3 local IPs? (10.8.1.1-3) ?

I can not think of a way to achieve this.

thank you.

Stefan

Comments

Re: check rcpt to, from and destination in one session - nested

By Jan P. Kessler at 05/15/2018 - 18:14

Restriction classes get very confusing with 3 or more criteria. Take a
look at the policy delegation protocol at
<a href="http://www.postfix.org/SMTPD_POLICY_README.html" title="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a> or use a service like
postfwd (<a href="http://postfwd.org" title="http://postfwd.org">http://postfwd.org</a>). In your case you would create a rule like

id=ALLOW01
   client_address = 192.168.1.0/24
   sender== ... at bar dot local
   recipient_domain==somewhere.remote
   action=permit

id=REJECT01
   client_address = 192.168.1.0/24
   action=REJECT not allowed

Re: check rcpt to, from and destination in one session - nested

By Stefan Bauer at 05/16/2018 - 01:04

Sorry for beeing unclear:

my criterias are if (from 10.8.1.1-3 and mail from: benachrichtigung@) then
only allow rcpt to: example.org, example.net, example.edu)

If from 10.8.1.1-3 and mail from anything else, no limitation should take
place.

2018-05-16 0:14 GMT+02:00 Jan P. Kessler <
ml-postfix- ... at lists dot jpkessler.de>:

Re: check rcpt to, from and destination in one session - nested

By Viktor Dukhovni at 05/15/2018 - 12:10

It is unclear what combination of criteria you want to use.
What naïvely makes sense to me is that the client hosts in
question are to be restricted to a particular sender address
and to particular recipient domains. If so:

main.cf:
cidr = cidr:${config_directory}/
texthash = texthash:${config_directory}/
smtpd_client_restrictions = check_client_access ${cidr}client.cidr
smtpd_restriction_classes = restricted_sender, restricted_rcpt
restricted_sender = check_sender_access ${texthash}restricted-sender
restricted_rcpt = check_recipient_access ${texthash}restricted-rcpt

client.cidr:
192.0.2.1 restricted_sender

restricted-sender:
<a href="mailto: ... at example dot com"> ... at example dot com</a> restricted_rcpt, reject

restricted-rcpt:
example.org OK
example.net OK
example.edu OK

Restriction classes can nest.

Re: check rcpt to, from and destination in one session - nested

By Stefan Bauer at 05/16/2018 - 01:33

That works. thank you very much guys for your help!

2018-05-15 18:10 GMT+02:00 Viktor Dukhovni <postfix- ... at dukhovni dot org>:

RE: check rcpt to, from and destination in one session - nested

By Fazzina, Angelo at 05/15/2018 - 11:45

Hi, sounds like you want

If from ( ... at cubewerk dot de<mailto: ... at cubewerk dot de>) and from (10.8.1.1-3)
Then allow
Else REJECT

Sounds like you would need a regex expression to catch two conditions and then act on it.

Not sure postfix can store result of first check and not act on it and make the second check and then act on the email ?
My guess is no…..?

Maybe someone more savvy knows how to do this.
Good Luck.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut, ITS, SSG, Server Systems
860-486-9075

Hi,
postfix is configured as relay server. Other systems relay with postfix. Here i want to allow for a specific group of hosts, when they use a specific mail from address only a few specific destination domains. Other hosts should not be bothered. This is only a need to limit a group of hosts to not accidentally send out mails to other domains.

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/benachrichtigung
smtpd_restriction_classes = benachrichtigung
benachrichtigung = check_recipient_access hash:/etc/postfix/erlaubt, reject

/etc/postfix/benachrichtigung
... at cubewerk dot de<mailto: ... at cubewerk dot de> benachrichtigung

/etc/postfix/erlaubt
microsoft.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmicrosoft.com&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7Ceee19345fdc94e7efd9008d5ba7a19c6%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636619955955748562&sdata=zk0%2FR9Q%2FzzD3NdAnC0%2FZWKyoRIhEl0d830cgWLgad4s%3D&reserved=0> OK
aol.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Faol.com&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7Ceee19345fdc94e7efd9008d5ba7a19c6%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636619955955758564&sdata=XvasfUHrBj2pciEhtL6tfk5m%2FBtS5dj9N99VqXtyYRo%3D&reserved=0> OK
yahoo.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fyahoo.com&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7Ceee19345fdc94e7efd9008d5ba7a19c6%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636619955955768577&sdata=6iFa5MDp%2F5TWBlZY1vpiLx4AiT8qNTrMz3EkZotzPis%3D&reserved=0> OK
That works and only allows mails with mail from: ... at cubewerk dot de<mailto: ... at cubewerk dot de> to above domains. How can i additionally say - and only limit sending of mails to this 3 domains, if smtp connection is from 3 local IPs? (10.8.1.1-3) ?
I can not think of a way to achieve this.
thank you.
Stefan