Hello everyone on serverfault,
I run a Debian Wheezy mailserver with postfix and several domains on it.
For one domain, I need some accounts to be unable to receive and send email to the external world, only to the same domain. The other accounts and domains remain normal.
Searching the web I found that I can do this with postfix restriction classes, so, I found a guide in postfix documentation: http://www.postfix.org/RESTRICTION_CLASS_README.html
Following the postfix documentation, I can’t apply my restriction, it gives me an unused parameter error when I restart postfix, the error is the following:
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: local_only=check_recipient_access hash:/etc/postfix/local_domains, reject
Here’s some part of my main.cf where the restriction classes are located:
smtpd_client_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/custom_check_client_access,
permit_sasl_authenticated,
reject_sender_login_mismatch,
reject_unknown_client,
reject_unauth_pipelining,
reject_rbl_client sbl.spamhaus.org,
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/protected_destinations,
check_policy_service inet:127.0.0.1:10023,
permit
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/local_domains, reject
Here’s my /etc/postfix/protected_destinations file:
restrict01@mydomain.com insiders_only
Here’s my /etc/postfix/restricted_senders file:
restrict01@mydomain.com local_only
Here’s my /etc/postfix/local_domains file:
mydomain.com OK
I can’t figure out what I did wrong! I couldn’t see anywhere on the internet on how to do two restriction classes together, so the syntax of smtpd_restriction_classes may be wrong. The other thing that I suspect to be wrong is the order of smtpd_recipient_restrictions, I can’t figure out where to put the check_sender_access and the check_recipient_access.
If you guys could help me out on setting up this restriction class, I would be thankful.
Thank you,
Giovanni
Best Answer
When defining a new restriction class, what you basically do is telling Postfix about a new generic restriction that can be used like the builtin checks, e.g. "permit_mynetworks".
Doing so will require you to specify all restriction classes in one go, i.e.
Doing it this way should silence the postconf warning about an unused parameter.
As for where to put the restrictions: By default, the parameter "smtpd_delay_reject" is set to "yes", which means that even smtpd_(client|sender)_restrictions will only be evaluated after the "rctp to:<...>" stage. For this reason, it has been a long standing advice to simply collapse all restrictions within smtpd_recipient_restrictions. In your case, where the sender "restrict01@..." should only be able to send to internal destinations, you could probably use something like this as a good starting point:
Another thing to note is that it's (probably) a bad idea to return an "OK" from a access map before you verified the client's credentials. Therefore, the file "/etc/postfix/local_domains" should contain a line like
This will force the restricted sender to authenticate with SASL or be within $mynetworks. As you can see, you can get away with one restriction class and get rid of smtpd_(sender|client)_restrictions.