Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.

debian restriction postfix

Hello everyone on serverfault,

I run a Debian Wheezy mailserver with postfix and several domains on it.

For one domain, I need some accounts to be unable to receive and send email to the external world, only to the same domain. The other accounts and domains remain normal.

Searching the web I found that I can do this with postfix restriction classes, so, I found a guide in postfix documentation: http://www.postfix.org/RESTRICTION_CLASS_README.html

Following the postfix documentation, I can’t apply my restriction, it gives me an unused parameter error when I restart postfix, the error is the following:

/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: local_only=check_recipient_access hash:/etc/postfix/local_domains, reject

Here’s some part of my main.cf where the restriction classes are located:

smtpd_client_restrictions =

permit_mynetworks,

check_client_access hash:/etc/postfix/custom_check_client_access,

permit_sasl_authenticated,

reject_sender_login_mismatch,

reject_unknown_client,

reject_unauth_pipelining,

reject_rbl_client sbl.spamhaus.org,

smtpd_recipient_restrictions =

check_sender_access hash:/etc/postfix/restricted_senders,

permit_mynetworks,

permit_sasl_authenticated,

reject_unauth_destination,

reject_invalid_hostname,

reject_unauth_pipelining,

reject_non_fqdn_sender,

reject_unknown_sender_domain,

reject_non_fqdn_recipient,

reject_unknown_recipient_domain,

check_recipient_access hash:/etc/postfix/protected_destinations,

check_policy_service inet:127.0.0.1:10023,

permit

smtpd_restriction_classes = local_only

local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

smtpd_restriction_classes = insiders_only

insiders_only = check_sender_access hash:/etc/postfix/local_domains, reject

Here’s my /etc/postfix/protected_destinations file:

[email protected] insiders_only

Here’s my /etc/postfix/restricted_senders file:

[email protected] local_only

Here’s my /etc/postfix/local_domains file:

mydomain.com OK

I can’t figure out what I did wrong! I couldn’t see anywhere on the internet on how to do two restriction classes together, so the syntax of smtpd_restriction_classes may be wrong. The other thing that I suspect to be wrong is the order of smtpd_recipient_restrictions, I can’t figure out where to put the check_sender_access and the check_recipient_access.

If you guys could help me out on setting up this restriction class, I would be thankful.

Thank you, Giovanni


Solution 1:

When defining a new restriction class, what you basically do is telling Postfix about a new generic restriction that can be used like the builtin checks, e.g. "permit_mynetworks".

Doing so will require you to specify all restriction classes in one go, i.e.

smtpd_restriction_classes = local_only, insiders_only
insiders_only = ...
local_only = ...

Doing it this way should silence the postconf warning about an unused parameter.

As for where to put the restrictions: By default, the parameter "smtpd_delay_reject" is set to "yes", which means that even smtpd_(client|sender)_restrictions will only be evaluated after the "rctp to:<...>" stage. For this reason, it has been a long standing advice to simply collapse all restrictions within smtpd_recipient_restrictions. In your case, where the sender "restrict01@..." should only be able to send to internal destinations, you could probably use something like this as a good starting point:

smtpd_recipient_restrictions =
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unlisted_sender
  reject_unlisted_recipient
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  check_sender_access hash:/etc/postfix/restricted_senders
  permit_mynetworks
  allow_sasl_authenticated
  reject_unauth_destination
  check_policy_service inet:127.0.0.1:10023
  reject_rbl_client zen.spamhaus.org
  permit_auth_destination
  reject
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, reject

Another thing to note is that it's (probably) a bad idea to return an "OK" from a access map before you verified the client's credentials. Therefore, the file "/etc/postfix/local_domains" should contain a line like

example.com DUNNO

This will force the restricted sender to authenticate with SASL or be within $mynetworks. As you can see, you can get away with one restriction class and get rid of smtpd_(sender|client)_restrictions.

Related

SSH Port Forwarding not working on remote server
What are good default settings for DNSSEC?
dig all txt records
failed to reconnect to your remote session
Route mail from Postfix to SMTP Relay and Back
Definition of finite elements (Ciarlet)
Calculate: $ \lim_{x \to 0 } = x \cdot \sin(\frac{1}{x}) $
When each prime ideal is maximal [duplicate]
No Integer Solutions and Congruences
How to solve this linear congruence $46x\equiv 6\pmod {202}$
Proof Strategy - Without Stokes's Theorem - Calculate $\iint_S \operatorname{curl} \mathbf{F} \cdot\; d\mathbf{S}$ for $\mathbf{F} = yz^2\mathbf{i}$
Proving that $a \mathbb{Z} \cap b\mathbb{Z} = \operatorname{lcm}(a,b)\mathbb Z$ [duplicate]