Postfix and access restrictions for unknown clients
I'm trying to configure a postfix mailserver and I have a doubt related to parameters like smtpd_reject_unlisted_sender and that sort of things.
Of course, I would like to configure my server in such a way if a client (for example, [email protected]), being "mydomain.com" a hosted domain of my server, using its SMTP Client MUA (like Outlook or Thunderbird), tries to send an email from a from address different to john, the request is rejected, and also reject every mail sended from an unknown "sender", unless this sender belongs to other "secure"/"existent" domain.
I know how can I configure these sort of things, but I don't know what is the "scope" of these restrinctions.
Concrete example: if I set smtpd_reject_unlist_sender to on, and [email protected] sends an email to [email protected], alice's mail will be rejected, since it's an unknown sender? I don't want to reject these type of emails, and postfix configuration doesn't specify to which address classes belongs each *_reject_* parameter (default, hosted or canonical).
Solution 1:
Postfix provides several “checks” that can be evaluated at different “stages” of the incoming SMTP connection. “checks” are something like “is the remote client SASL-Authenticated?”, “is the remote client providing an FQDN HELO Hostname?”, “is the remote client asking for SMTP pipelining?”, as well as “is the remote client blacklisted in some RBL?” or “is the remote client connecting from one of my IP subnet”?
Such checks can be evaluated at different stage of the SMTP transaction:
- as soon as the TCP connection is established (smtpd_client_restrictions)
- when the client issue a “MAIL FROM” command (smtpd_sender_restrictions)
- when the client send an “RCPT TO” command (smtpd_recipient_restrictions)
as well as at other stages.
Restrictions/Directives above, can be combined as in the following example (please note that “...restrictions are applied in the order as specified; the first restriction that matches wins”):
smtpd_client_restrictions =
permit_sasl_authenticated
check_client_access hash:/etc/postfix/access
check_policy_service inet:127.0.0.1:4466
warn_if_reject reject_unknown_reverse_client_hostname
reject_non_fqdn_helo_hostname
reject_unauth_pipelining
reject_invalid_helo_hostname
reject_rbl_client bl.spamcop.net
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10045,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/access_recipient
permit_mynetworks,
warn_if_reject reject_unverified_recipient,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:2501`
In order to properly LOG useful information that might not be known in the “smtpd_client_restrictions” (or other) context, the parameter “smtpd_delay_reject=yes” might be useful, as it will delay the “rejection time”, so to collect other infos (the recipient, for example, very useful to properly troubleshoot problems with end users complaining for missing received mail).
Postfix is a very complex system and, as such, is extremely flexible and powerful. You can find lots of information in the official web-pages (es.: http://www.postfix.org/postconf.5.html) that, BTW, includes also some useful configs that can be used as a starting point for your own setup (http://www.postfix.org/STANDARD_CONFIGURATION_README.html)
P.S.: please, be “kind” with this answer as... it's my first POST in the ServerFault/StackExchange arena ;-)
Solution 2:
smtpd_reject_unlisted_sender is used to control mail from your local submissions or from sasl authenticated users from submission port. It checks the existence of the envelope from aka SMTP FROM address in your users outgoing emails against the addresses in virtual domains or canonical ones.