I have a mail server that handles several domains. One of these domains has decided to use Postini. For those not familiar with Postini, you set your MX records to use their mail servers. They filter mail, and deliver you only the clean virus/spam free mail. The idea is to only allow incoming mail from their mail servers so spammers are unable to send to your mail server directly. This is fairly simple to do with standard restriction classes for a dedicated mail server. I am not sure how to accomplish this on a shared mail server. Ideally I would like to instruct postfix to accept mail from anywhere for all domains except one domain (the one using Postini) and only allow mail destined for that specific domain to originate from Postini's mail servers. Any ideas would be greatly appreciated.
Thanks, Barry
Barry Brimer wrote:
I have a mail server that handles several domains. One of these domains has decided to use Postini. For those not familiar with Postini, you set your MX records to use their mail servers. They filter mail, and deliver you only the clean virus/spam free mail. The idea is to only allow incoming mail from their mail servers so spammers are unable to send to your mail server directly. This is fairly simple to do with standard restriction classes for a dedicated mail server. I am not sure how to accomplish this on a shared mail server. Ideally I would like to instruct postfix to accept mail from anywhere for all domains except one domain (the one using Postini) and only allow mail destined for that specific domain to originate from Postini's mail servers. Any ideas would be greatly appreciated.
check_recipient_access key value postini-domain postini-domain-restrictions
smtpd-restrictions postini-domain-restrictions
postini-domain-restrictons check_client_access key value postini-ips/rdns OK check_client_access key value anything(regex/pcre) REJECT
Quoting Feizhou feizhou@graffiti.net:
Barry Brimer wrote:
I have a mail server that handles several domains. One of these domains
has
decided to use Postini. For those not familiar with Postini, you set your
MX
records to use their mail servers. They filter mail, and deliver you only
the
clean virus/spam free mail. The idea is to only allow incoming mail from
their
mail servers so spammers are unable to send to your mail server directly.
This
is fairly simple to do with standard restriction classes for a dedicated
server. I am not sure how to accomplish this on a shared mail server.
Ideally
I would like to instruct postfix to accept mail from anywhere for all
domains
except one domain (the one using Postini) and only allow mail destined for
that
specific domain to originate from Postini's mail servers. Any ideas would
be
greatly appreciated.
check_recipient_access key value postini-domain postini-domain-restrictions
smtpd-restrictions postini-domain-restrictions
postini-domain-restrictons check_client_access key value postini-ips/rdns OK check_client_access key value anything(regex/pcre) REJECT
Thanks for your response. For further clarification, my understanding of your instructions are as follows. Please correct any mistakes I have made. My domain will be example.com
1. Add an additional line to my smtpd_recipient_restrictions that reads:
check_recipient_access hash:/etc/postfix/recipient_checks
The contents of this file should read
example.com example.com-restrictions
Once completed, I run postmap against this file.
2. I currently use smtpd_recipient_restrictions for my access control. Can I include the example.com-restrictions directive in my smtpd_recipient_restrictions, or does it really belong in smtpd_sender_restrictions? Is there actually a plain smtpd_restrictions directive I am missing?
3. example.com-restrictions is referenced in smtpd_xxx_restrictions above. If I understand correctly, I should add a line to my main.cf above my smtpd_recipient_restrictions that says:
example.com-restrictions = check_client_access regexp:/etc/postfix/example.com-restrictions.regexp
The contents of this file should read:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK /^.*/ REJECT
Thanks so much for your help, any input/correction/validation of this information is greatly appreciated!
Thanks! Barry
Barry Brimer wrote:
Quoting Feizhou feizhou@graffiti.net:
Barry Brimer wrote:
I have a mail server that handles several domains. One of these domains
has
decided to use Postini. For those not familiar with Postini, you set your
MX
records to use their mail servers. They filter mail, and deliver you only
the
clean virus/spam free mail. The idea is to only allow incoming mail from
their
mail servers so spammers are unable to send to your mail server directly.
This
is fairly simple to do with standard restriction classes for a dedicated
server. I am not sure how to accomplish this on a shared mail server.
Ideally
I would like to instruct postfix to accept mail from anywhere for all
domains
except one domain (the one using Postini) and only allow mail destined for
that
specific domain to originate from Postini's mail servers. Any ideas would
be
greatly appreciated.
check_recipient_access key value postini-domain postini-domain-restrictions
smtpd-restrictions postini-domain-restrictions
postini-domain-restrictons check_client_access key value postini-ips/rdns OK check_client_access key value anything(regex/pcre) REJECT
Thanks for your response. For further clarification, my understanding of your instructions are as follows. Please correct any mistakes I have made. My domain will be example.com
- Add an additional line to my smtpd_recipient_restrictions that reads:
check_recipient_access hash:/etc/postfix/recipient_checks
The contents of this file should read
example.com example.com-restrictions
Once completed, I run postmap against this file.
- I currently use smtpd_recipient_restrictions for my access control. Can I
include the example.com-restrictions directive in my smtpd_recipient_restrictions, or does it really belong in smtpd_sender_restrictions? Is there actually a plain smtpd_restrictions directive I am missing?
Ack, sorry that should be smtpd_restriction_classes
Putting all non restriction-classes rules under smtpd_recipient_restrictions is fine.
- example.com-restrictions is referenced in smtpd_xxx_restrictions above.
If I understand correctly, I should add a line to my main.cf above my smtpd_recipient_restrictions that says:
No, after the smtpd_restriction_classes declaration(s)
smtpd_restriction_classes = example.com-restrictions {more if you have}
Followed by the rule declarations per restriction class.
example.com-restrictions = check_client_access regexp:/etc/postfix/example.com-restrictions.regexp
The contents of this file should read:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK /^.*/ REJECT
Thanks so much for your help, any input/correction/validation of this information is greatly appreciated!
You are welcome.
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK /^.*/ REJECT
whoops..
you want two rules for that...the first one the OK match and therefore not necessarily a regex table and the second one refering to the regex catchall.
Quoting Feizhou feizhou@graffiti.net:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK /^.*/ REJECT
whoops..
you want two rules for that...the first one the OK match and therefore not necessarily a regex table and the second one refering to the regex catchall.
Would this have the same effect?
smtpd_restriction_classes = example.com-restrictions
example.com-restrictions = check_sender_access hash:/etc/postfix/example.com-restrictions, reject
Contents of /etc/postfix/example.com-restrictions:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK
Thanks, Barry
Barry Brimer wrote:
Quoting Feizhou feizhou@graffiti.net:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK /^.*/ REJECT
whoops..
you want two rules for that...the first one the OK match and therefore not necessarily a regex table and the second one refering to the regex catchall.
Would this have the same effect?
smtpd_restriction_classes = example.com-restrictions
example.com-restrictions = check_sender_access hash:/etc/postfix/example.com-restrictions, reject
Contents of /etc/postfix/example.com-restrictions:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK
Looks good.
Quoting Feizhou feizhou@graffiti.net:
Barry Brimer wrote:
Quoting Feizhou feizhou@graffiti.net:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK /^.*/ REJECT
whoops..
you want two rules for that...the first one the OK match and therefore not necessarily a regex table and the second one refering to the regex catchall.
Would this have the same effect?
smtpd_restriction_classes = example.com-restrictions
example.com-restrictions = check_sender_access hash:/etc/postfix/example.com-restrictions, reject
Contents of /etc/postfix/example.com-restrictions:
name or ip of postini-allowed mail server1 OK name or ip of postini-allowed mail server2 OK name or ip of postini-allowed mail server3 OK name or ip of postini-allowed mail server4 OK
Looks good.
Feizhou,
Thanks so much for your help, I was able to implement this restriction very easily with your kind assistance. I decided to use a regexp file to do the reject, because that allows me to send a custom error message. Simply placing the "reject" at the end of the list throws a generic message that does not exactly describe why the message is being rejected.
Once again - Many Thanks!!!
Barry
Feizhou,
Thanks so much for your help, I was able to implement this restriction very easily with your kind assistance. I decided to use a regexp file to do the reject, because that allows me to send a custom error message. Simply placing the "reject" at the end of the list throws a generic message that does not exactly describe why the message is being rejected.
Once again - Many Thanks!!!
You are welcome Barry.
-
Barry Brimer -
Feizhou