hi,
Whats the 'robust' way to make sure email to a specific destination is only accepted if it came over the localhost:25 or /usr/sbin/sendmail route ? anything else should get a 5xx error. Emails to other destinations should remain unaffected.
Using postfix/c4. Had a look around, and header_checks might be one way to go.
Karanbir Singh wrote:
hi,
Whats the 'robust' way to make sure email to a specific destination is only accepted if it came over the localhost:25 or /usr/sbin/sendmail route ? anything else should get a 5xx error. Emails to other destinations should remain unaffected.
Using postfix/c4. Had a look around, and header_checks might be one way to go.
The easiest way is probably to edit master.cf and make smtpd only listen on localhost:25.
So instead of
# smtp inet n - n - - smtpd
Use
127.0.0.1:smtp inet n - n - - smtpd
Otherwise us an access table.
Glenn
RedShift wrote:
Karanbir Singh wrote:
Whats the 'robust' way to make sure email to a specific destination is only accepted if it came over the localhost:25 or /usr/sbin/sendmail route ? anything else should get a 5xx error. Emails to other destinations should remain unaffected.
Using postfix/c4. Had a look around, and header_checks might be one way to go.
The easiest way is probably to edit master.cf and make smtpd only listen on localhost:25.
Ummm. The question was "how to *identify* mails coming from localhost", not "restrict everything to localhost".
Otherwise us an access table.
I'd be curious how you would do that.
Ralph
On 07/29/2009 01:58 PM, RedShift wrote:
Emails to other destinations should remain unaffected.
^^
The easiest way is probably to edit master.cf and make smtpd only listen on localhost:25.
well, no. The machine gets a few thousand other emails from all over the place. Would not want to stop that :)
Otherwise us an access table.
how ?
Hi
2009/7/29 Karanbir Singh mail-lists@karan.org
On 07/29/2009 01:58 PM, RedShift wrote:
Emails to other destinations should remain unaffected.
^^
The easiest way is probably to edit master.cf and make smtpd only listen on localhost:25.
well, no. The machine gets a few thousand other emails from all over the place. Would not want to stop that :)
> Otherwise us an access table.
how ?
I personally have separated my interfaces using master.cf (one for internal and one for external and one for anti-virus from localhost).
192.168.1.1:25 inet n - n - - smtpd -o smtpd_client_restrictions= 222.22.22.333:25 inet n - n - - smtpd # # Anti-virus # amavisd-new unix - - n - 2 smtp -o smtp_data_done_timeout=1200s -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
I override smtpd_client_restrictions from internal so that it doesnt try look up RBLs and the last part is the anti-virus re-injection.
Other than that, I havent investigated further what other rules you can apply.
This is similar to what Andreas Rogge has suggested elsewhere in this thread.
Regards, Andrew.
Karanbir Singh wrote:
On 07/29/2009 01:58 PM, RedShift wrote:
Emails to other destinations should remain unaffected.
^^
The easiest way is probably to edit master.cf and make smtpd only listen on localhost:25.
well, no. The machine gets a few thousand other emails from all over the place. Would not want to stop that :)
Otherwise us an access table.
how ?
Start by setting up recipient classes, like this:
everybody = permit limited = check_client_access hash:/etc/postfix/tables/limited_client_access
smtpd_restriction_classes = everybody, limited
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_recipient_access hash:/etc/postfix/tables/recipient_access
And now for the tables:
recipient_access: myprecious@example.net limited * everybody
limited_client_access: 1.2.3.4 OK * REJECT
I'm quickly writing this almost all out of my head so it might not be entirely "drop into place".
Glenn
hi,
Whats the 'robust' way to make sure email to a specific destination is only accepted if it came over the localhost:25 or /usr/sbin/sendmail route ? anything else should get a 5xx error. Emails to other destinations should remain unaffected.
I guess you should need to configure two incoming variant in master.cf, so you have one smtpd listening for localhost and one on the real ip. For the one on the real ip you just set a recipient restriction that disallows your specific destination (directly in master.cf itself).
I didn't test, but it should work.
Regards, Andreas
-
Andreas Rogge -
Karanbir Singh -
Ralph Angenendt -
RedShift -
Spook ZA