[CentOS] restricting mails from "mail" command to specific domains only in postfix

Fri Jan 2 23:37:19 UTC 2009
mouss <mouss at ml.netoyen.net>

ankush grover a écrit :
> Hi Friends,
> 
> I have configured Postfix mail server on Centos  for relaying mails
> from 5 linux servers (including itself) within the same LAN. The
> postfix mail server should relay mails from these 5 linux servers for
> specific domains only. For example hosts 192.168.0.23/24/25/26/27 and
> the postfix mail server should only be able to receive and send mails
> from and to example.com,example2.com and example3.com domains only.
> Below is the configuration of the postfix mail server
> 
> myhostname = test.example.com
> myorigin = $mydomain
> inet_interfaces = all
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> mynetworks_style = subnet
> mynetworks = 192.168.0.23/32,192.168.0.24/32,192.168.0.25/32,127.0.0.1/32,192.168.0.26/32,192.168.0.27/32
> ,relay_domains = $mydestination,example.com,example2.com,example3.com
> smtpd_recipient_restrictions =
> reject_unauth_destination,permit_mynetworks,reject
> 
> 
> The issue I am facing is that whenever things are working fine when I
> check the things through telnet but when I do testing through command
> line through "mail" command I am able to send mails to any domain from
> these 5 servers.
> 
> bash-2.05$ telnet test.example.com 25
> Trying 192.168.0.27...
> Connected to test.
> Escape character is '^]'.
> 220 test.example.com ESMTP Postfix (2.2.5)
> mail from:ankush.grover at example.com
> 250 Ok
> 501 Syntax: RCPT TO: <address>
> rcpt to:ankush at gmail.com
> 554 <ankush at gmail.com>: Relay access denied
> 
> 
> How can I restrict mails even going through "mail" command from these
> 5 servers to specific domains only. These 5 servers are running some
> cronjobs and these cronjobs output it mailed through "mail" command.
> 
> 

smtpd_*_restrictions apply to mail submitted via SMTP (which is the case
if you use telnet or if mail is received from a remote machine). but
mail submitted via the sendmail command (which is the case when you use
the 'mail' command) is not subject to these restrictions.

in short, with your current config, you have what you want except for
mail submitted via a sendmail on the relay itself.

do you really want to restrict the latter? unless you are using selinux
or the like to prevent other programs from connecting to the network, a
program can simply connect directly to outside.

if you insist, then force mail to be passed to an smtpd using "-o
content_filter" in master.cf:

pickup ....
	-o content_filter=relay:[127.0.0.1]:25

with this, mail received via the sendmail command will be passed to
127.0.0.1 port 25 and you get what you want.

but there is a caveat here: if after being received on port 25, the
message is reinjected using the sendmail command (say from a content
filter or from maildrop/procmail/whatever), then it will go to
127.0.0.1:25 again, and so on. and at sometime, you'll get an infinite
loop error message (which won't loop, because internal messages are not
subject to content_filter!)