Linux – Postfix multiple checks

emaillinuxpostfixsmtp

I want to achieve the following with Postfix:

Run all emails through a black list
Allow any clients sending to a list of domains
Allow some clients sending to any domain

This is what I have: (postfix is on 10.0.8.0 and some of the senders are 10.0.8.0 and 10.0.9.0)

mynetworks_style = subnet

smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access-bl.query, check_client_access hash:/etc/postfix/trusted_clients, check_recipie
nt_access hash:/etc/postfix/local_domains, reject_unauth_destination, permit

So, right now the black list works. File /etc/postfix/trusted_clients contains who can send anywhere (3), file /etc/postfix/local_domains contains where you can send (2).
Those two are fine, they return properly.

My problem is getting all three working together. Not sure if it's an ordering issue.
Currently sending a test from 10.0.9.17 and I get Relay access denied. If I add:

mynetworks = 10.0.8.0/24 10.0.9.0/24

then anyone can send anywhere, so #2 is not working.

Postfix version is 2.10 on Ubuntu 14.04.

Any ideas?

Output of postconf | grep restrictions:

smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions = 
smtpd_etrn_restrictions = 
smtpd_helo_restrictions = 
smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access-bl.query, check_client_access hash:/etc/postfix/trusted_clients, check_recipient_access hash:/etc/postfix/local_domains, reject_unauth_destination, permit_mynetworks
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination 
smtpd_sender_restrictions =

Best Answer

In postfix 2.10, new parameter smtpd_relay_restrictions was introduced. This restriction will evaluated BEFORE smtpd_recipient_restrictions.

Snippet from official documentation

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination) Access restrictions for mail relay control that the Postfix SMTP server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

Therefore, any client outside mynetworks will get Relay Access Denied because this rule defer_unauth_destination.

One of the solution is move your restriction (2) and (3) in smtpd_relay_restrictions.

smtpd_recipient_restrictions = 
    check_recipient_access sqlite:/etc/postfix/access-bl.query

smtpd_relay_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    check_client_access hash:/etc/postfix/trusted_clients, 
    check_recipient_access hash:/etc/postfix/local_domains,
    reject_unauth_destination

Note:

You can place reject_unauth_destination in either smtpd_relay_restrictions or smtpd_recipient_restrictions. No need to repeat it both place.
smtpd_relay_restrictions is intended to place where you putrelay rule, while smtpd_recipient_restrictions is placeholder for spam blacklisting (for example reject_non_fqdn_sender).

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

I think you need to put mydestination = mydomain.com in your config.

Next guess: We know the domain is right and that SASL works... so what I now suspect is that we're seeing an error in your restrictions. I'd start with recipient_restrictions and remove every rejection after permit_sasl_authenticated. If that works, add them back one at a time. If not, your next test is sender_restrictions.

Debian – Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

When defining a new restriction class, what you basically do is telling Postfix about a new generic restriction that can be used like the builtin checks, e.g. "permit_mynetworks".

Doing so will require you to specify all restriction classes in one go, i.e.

smtpd_restriction_classes = local_only, insiders_only
insiders_only = ...
local_only = ...

Doing it this way should silence the postconf warning about an unused parameter.

As for where to put the restrictions: By default, the parameter "smtpd_delay_reject" is set to "yes", which means that even smtpd_(client|sender)_restrictions will only be evaluated after the "rctp to:<...>" stage. For this reason, it has been a long standing advice to simply collapse all restrictions within smtpd_recipient_restrictions. In your case, where the sender "restrict01@..." should only be able to send to internal destinations, you could probably use something like this as a good starting point:

smtpd_recipient_restrictions =
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unlisted_sender
  reject_unlisted_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  check_sender_access hash:/etc/postfix/restricted_senders
  permit_mynetworks
  allow_sasl_authenticated
  reject_unauth_destination
  check_policy_service inet:127.0.0.1:10023
  reject_rbl_client zen.spamhaus.org
  permit_auth_destination
  reject
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

Another thing to note is that it's (probably) a bad idea to return an "OK" from a access map before you verified the client's credentials. Therefore, the file "/etc/postfix/local_domains" should contain a line like

example.com DUNNO

This will force the restricted sender to authenticate with SASL or be within $mynetworks. As you can see, you can get away with one restriction class and get rid of smtpd_(sender|client)_restrictions.

Best Answer

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

Debian – Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

Related Topic