OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Tokarev (mjttls.msk.ru)
Date: Sun Feb 18 2001 - 08:47:36 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "Diaolin (Natali Giuliano)" wrote:
    >
    > I have a problem discussed even into the FAQ:
    > i have 80 users on my postfix server but i will that :
    > user1 and user2 allowed to send messages only locally
    > the other everywhere.
    > The FAQ explains this with the
    > ---------------
    > /etc/postfix/main.cf:
    > smtpd_recipient_restrictions =
    > hash:/etc/postfix/restricted_senders
    > .other stuff... ?????? this is required by postfix but wat shoul i
    > use?
    Use usual anti-relay settings - defaults will be sufficient for beginning.

    >
    > smtpd_restriction_classes = local_only
    > local_only = check_sender_access hash:/etc/postfix/local_domains,
                                 ^^^^^^
    I suspect that you mean check_RECIPIENT_access here (but in lowercase).

    > reject
    >
    > /etc/postfix/restricted_senders:
    > foodomain local_only
    > bardomain local_only
    >
    > /etc/postfix/local_domains:
    > this.domain OK (matches this.domain and subdomains)
    > that.domain OK (matches that.domain and subdomains)
    > ------------------------------
    > I'm confused.................
    > What i'm missing???
    >
    > Tx, Diaolin
    > P.S:why smtpd_recipient_restriction and not smtpd_sender_restrictions?????

    Because you want to restrict sender+recipient combination, and need an
    info about both sender and recipient.
    []

    Ok. But note that this will NOT work even if all will be set ok.
    There are far too many ways to bypass those restrictions. I'll give
    two examples only, at least other 5 are in my mind...
    Assuming that useryour.dom is restricted the way you described.

    1. This user can create free email account e.g. at yahoo or something,
    be it useryahoo.com. He then sets up his MUA to use that last address
    in a from field, - and voila - restrictions breaks, he can send mail
    to everywhere. To receive it, he can either login to yahoo using http,
    or just setup redirect at yahoo to be useryahoo.com => useryour.dom.

    2. He can set up .forward file in his home, like this:
      .forward-some that contains someother.dom.ain.
    After that, he can send mail from useryour.dom to user+someyour.dom
    (ok for your restrictions), and mail will be redirected to ANY address
    listed in his .forward-some file. (assuming that you have appropriate
    recipient_delimiter and forward_path that are sometimes very useful for
    other purposes).

    As a conclusion: Basically you can't place such restrictions easily..

    Regards,
     Michael.