DevHeads.net

unable to get smtpd_recipient_restrictions working

Hi.

My goal:
only allow mail to certains domains

@a.com
@b.com
@c.com

everything else should bounce.

main.cf:
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/recipient_access,
reject
cat /etc/postfix/recipient_access
a.dk OK
b.dk OK
c.dk OK

postmap /etc/postfix/recipient_access
postfix reload

mails to other domains other then a.dk b.dk c.dk still goes through.

I have also tried to do this access control with

main.cf:
header_checks = pcre:/etc/postfix/header_checks

cat /etc/postfix/header_checks
!/(@a\.dk|@b\.dk|@c\.dk)/ REJECT Bye
but its like the "!" part is not really working.

postmap -q " ... at b dot dk" /etc/postfix/header_checks dosnt return anything
postmap -q " ... at google dot dk" /etc/postfix/header_checks returns "REJECT Bye"
like it should

but postfix dosnt really care.

i test from bash with something like "echo hej | mail <mailaddress>"
Any pointers on where to look?

Morten

Comments

Re: unable to get smtpd_recipient_restrictions working

By Noel Jones at 01/12/2012 - 08:29

On 1/12/2012 4:41 AM, Morten Frederik Kallesøe wrote:
[please post in plain text only. thanks.]

OK. Several problems below...

Please show "postconf -n" output rather than main.cf snippings.

If any of these are external domains, you just made yourself an open
relay.

Put these rules in smtpd_sender_restrictions *NOT*
smtpd_recipient_restrictions.

again, check your postconf -n output.

This won't work. First, this will reject mail with ANY header that
doesn't match the required pattern, rejecting all mail. Secondly,
this will be unreliable since the header may not be the same as the
envelope.

A little better would be
IF /^From:/
!/(@a\.dk|@b\.dk|@c\.dk)/ REJECT Bye
ENDIF

that will still be unreliable due to header vs. envelope, but at
least it won't reject every message.

Perhaps surprisingly, smtpd_*_restrictions only work on mail
submitted via SMTP, and not mail submitted on the command line.

If you need more help:
<a href="http://www.postfix.org/DEBUG_README.html#mail" title="http://www.postfix.org/DEBUG_README.html#mail">http://www.postfix.org/DEBUG_README.html#mail</a>

The documentation:
<a href="http://www.postfix.org/documentation.html" title="http://www.postfix.org/documentation.html">http://www.postfix.org/documentation.html</a>

-- Noel Jones

Re: unable to get smtpd_recipient_restrictions working

By =?ISO-8859-1?Q?... at 01/13/2012 - 02:10

Ty for you reply

I think you misunderstood the direction of the mail i want to limit. i
wanted to limit "To" and not "From"

/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = localhost
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = dvlmweb01.u.net, localhost.u.net, localhost
myhostname = dvlmweb01.u.net
mynetworks = 127.0.0.0/8
myorigin = dvlmweb01.u.net
readme_directory = no
recipient_delimiter = +
relayhost = 10.0.0.10
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

I went with the header_checks solution

cat /etc/postfix/header_checks
IF /To:/
!/(@a\.dk|@b\.dk|@c\.dk)/ REJECT Trying to send to domain thats not whitelisted
ENDIF

Works like i want. I know there is a performance penalty with the pcre
instead of hash tables, but its very development server, so the
traffic is very very low.

It works, thanks.

Re: unable to get smtpd_recipient_restrictions working

By Noel Jones at 01/13/2012 - 10:39

On 1/13/2012 1:10 AM, Morten Frederik Kallesøe wrote:
You referred repeatedly to "sender".

...
Be aware this will be unreliable. Understand that the To: header is
essentially a comment and has nothing to do with mail routing. Mail
that is sent to you will not necessarily have your name in the To:
header.

Much better (but still unreliable):
IF /^(To|Cc): /

Doubtful.

-- Noel Jones

Re: unable to get smtpd_recipient_restrictions working

By dev rob0 at 01/13/2012 - 07:23

On Friday 13 January 2012 01:10:41 Morten Frederik Kallesøe wrote:
Your original attempt was check_sender_access which checks the
envelope sender address. To lookup the recipient address, use
check_recipient_access. Neither one examines addresses in the headers
(and in fact, there is no such check_*_access functionality which
does.)

It works unless no To: header is specified, or the To: header doesn't
show the actual intended recipient. Mail headers do not control mail
routing, and it seems that you are trying to control routing.

It breaks if a header contains the string "To:". You did not anchor
your expression, i.e., "IF /^To:/" to anchor to the beginning of the
line.