Mysql – PostFix Blacklist Configuration

blacklistemail-serverMySQLpostfix

I have setup up a basic email server using PostFix with Dovecot/IMAP. But i face some issue with the blacklist setup.

below is my postfix main.cf

smtpd_recipient_restrictions = check_sender_access mysql:/etc/postfix/blacklist.cf reject_unauth_destination

blacklist.cf

user = mailuser
password = mailuser2011
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 'REJECT' FROM blacklist WHERE email='%s' AND id=( SELECT id FROM virtual_users WHERE email='%u')

My SQL table have 2 columns for the blacklist. Namely the id and the email where id is the individual user and email is the blacklisted address.

What I want to do is to retrieve the address match from the database with reference to the recipient in the mail. If I hard code the email value to something existing in the database it will be able to reject mails from the blocked user.

However, if I uses the %u(which I assume it refers to the recipient), it fails to block at all.

Best Answer

Lookup tables in Postfix are Key-Value-Lookups. That means you have a key and get a value after lookup. In your case (check_sender_access) the key is the sender; and only the sender. So your requirement of having two keys (sender and recipient) can not be done with Postfix.

The only way to solve that is by Policy Delegation, where you have multiple keys (sender, recipient, IP, hostname, helo, ...) to do your lookup.

But on the other hand it is a very bad idea to rely on the sender address, as this is the easiest thing to forge.

Related Solutions

Debian – Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

When defining a new restriction class, what you basically do is telling Postfix about a new generic restriction that can be used like the builtin checks, e.g. "permit_mynetworks".

Doing so will require you to specify all restriction classes in one go, i.e.

smtpd_restriction_classes = local_only, insiders_only
insiders_only = ...
local_only = ...

Doing it this way should silence the postconf warning about an unused parameter.

As for where to put the restrictions: By default, the parameter "smtpd_delay_reject" is set to "yes", which means that even smtpd_(client|sender)_restrictions will only be evaluated after the "rctp to:<...>" stage. For this reason, it has been a long standing advice to simply collapse all restrictions within smtpd_recipient_restrictions. In your case, where the sender "restrict01@..." should only be able to send to internal destinations, you could probably use something like this as a good starting point:

smtpd_recipient_restrictions =
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unlisted_sender
  reject_unlisted_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  check_sender_access hash:/etc/postfix/restricted_senders
  permit_mynetworks
  allow_sasl_authenticated
  reject_unauth_destination
  check_policy_service inet:127.0.0.1:10023
  reject_rbl_client zen.spamhaus.org
  permit_auth_destination
  reject
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

Another thing to note is that it's (probably) a bad idea to return an "OK" from a access map before you verified the client's credentials. Therefore, the file "/etc/postfix/local_domains" should contain a line like

example.com DUNNO

This will force the restricted sender to authenticate with SASL or be within $mynetworks. As you can see, you can get away with one restriction class and get rid of smtpd_(sender|client)_restrictions.

Postfix SMTP recipient filter not filtering

Restrictions specified in restriction lists such as smtpd_helo_restrictions, smtpd_recipient_restrictions etc. are applied in the order as specified; the first restriction that matches wins.

Since your smtp_recipient_restrictions has permit_sasl_authenticated as first condition and check_recipient_access somewhere down the road, any authenticated client is allowed and not checked agains the later.

You may also want to read http://www.postfix.org/SMTPD_ACCESS_README.html

Best Answer

Related Solutions

Debian – Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

Postfix SMTP recipient filter not filtering

Related Topic