NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2000-02

Subject: Re: Access forbidden for 'tous' aliases
From: Ralf Hildebrandt (R.Hildebrandttu-bs.de)
Date: Wed Feb 09 2000 - 11:44:29 CST

Next message: Lars Hecking: "Re: Access forbidden for 'tous' aliases"
Previous message: Emmanuel Courcelle: "Access forbidden for 'tous' aliases"
In reply to: Emmanuel Courcelle: "Access forbidden for 'tous' aliases"
Next in thread: Lars Hecking: "Re: Access forbidden for 'tous' aliases"
Reply: Ralf Hildebrandt: "Re: Access forbidden for 'tous' aliases"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 09, 2000 at 06:22:02PM +0100, Emmanuel Courcelle wrote:

> The script tries to find out the From: field, and the mail is rejected
> if it comes from 'OUTSIDE' (the domain name is different from ipbs.fr).
Too simplistic. From: can be forged.

> Do you think it is possible implementing this through a postfix access
> list ???

Use the restriction classes (this example based on IPs):

smtpd_restriction_classes = INTERN
INTERN = check_client_access
dbm:$config_directory/intern,
reject

and in "intern" I have:
132.231 OK

smtpd_recipient_restrictions = permit_mynetworks,
                               reject_invalid_hostname,
                               reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               reject_unauth_pipelining,
                               reject_non_fqdn_hostname,
                               reject_unauth_destination,
                               check_recipient_access regexp:$config_directory/recipient_checks.regexp,
                               check_sender_access dbm:$config_directory/sender_checks,
                               check_client_access dbm:$config_directory/client_checks,
                               reject_maps_rbl,
                               permit

and in recipient_checks.regexp:
/^tous/ intern

So mail to "tous" is only allowed from IPs in 132.231.x.x

-- 
Ralf Hildebrandt <R.Hildebrandttu-bs.de> www.stahl.bau.tu-bs.de/~hildeb
Your mantra for today is: Don't let data from the network near a
shell. Bad things happen.                    -- Randall Schwartz

Next message: Lars Hecking: "Re: Access forbidden for 'tous' aliases"
Previous message: Emmanuel Courcelle: "Access forbidden for 'tous' aliases"
In reply to: Emmanuel Courcelle: "Access forbidden for 'tous' aliases"
Next in thread: Lars Hecking: "Re: Access forbidden for 'tous' aliases"
Reply: Ralf Hildebrandt: "Re: Access forbidden for 'tous' aliases"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]