I posted here a couple of days ago how to allow someone a whitelist by
setting up a special restriction class for a particular user. We will add
to that example by setting up a special restriction class that has only one
restriction: One user can mail to that class. We will then apply that
class to only one user.

Add a line at the beginning of /etc/postfix/recipients that reads:

/^specialuser\specialdomain.tld$/ oneuser

This applies the special restriction class to the one user.

We now define the special restriction class by changing /etc/postfix/main.cf:

Add a new restriction class by changing smtpd_restriction_classes to read:

smtpd_restriction_classes =
    permissive,
    specialcustomer,
    oneuser,
    restrictive

Add the following clause to main.cf:

oneuser =
         check_sender_access pcre:/etc/postfix/allow_oneuser_one_sender,
         reject

So the oneuser class has only one restriction: it checks the sender access
against the regular expression list, and if it has not gotten a yes or no
answer from that list, it rejects the mail.

The file /etc/postfix/allow_oneuser_one_sender should read:

/^onesendersendersdomain.tld/ OK
/.*/ 554 You may not send to this very paranoid user.

A complete regex match of the one user that is allowed to mail appears
first with "OK" saying that the sender that matches this recipient is OK,
and the second regilar expression matches everything else, rejecting it
with an informative message.

This checks the asserted sender, in postfix, and rejects all other asserted
senders. But if I were to learn that "fredfoo.org" was the only sender
allowed to send to this magic address, I could simply forge this RFC821
sender address. You can further help your tests by only accepting mail
from systems you trust a little or from systems which you would expect the
mail from.

If you actually wanted only to accept mail from one system, you could add a
table checking the address of the sending system to the oneuser restriction
with a check_helo_access map, and so forth.

-=-=-=-=-

Here is the posting again, for the rest of the setup:

Here is my setup. You wanted someone to treat you simply. Just copy my
setup, making minimal changes.

smtpd_helo_required = yes
smtpd_helo_restrictions - empty
smtpd_sender_restrictions - empty

Specify all of your restrictions in smtpd_recipient_restrictions. Don't
ask questions, just do it.

What matters is the order in which things happen. So you do permits before
restricts. First you allow networks you will always
allow. check_recipient_access allows you to do different lists of
restrictions for different people. Finally you do your permit_mx_backup
and check_relay_domains.

smtpd_recipient_restrictions =
         check_recipient_access pcre:/etc/postfix/recipients,
         permit_mx_backup,
         check_relay_domains

Like I said, check_recipient_access allows you to use different lists of
restrictions by address. All of the things we do to check and bounce mail
happens in the special restriction classes which are selected per
userid. And I have moved check_recipient_access up here.

permit_sasl_authenticated is optional if you use sasl

smtpd_restriction_classes =
    permissive,
    specialcustomer,
    restrictive

We have three classes - a permissive one for postmaster and abuse, a
special one for just the whacky user who insists on getting some spam, and
the normal class for everything else.

restrictive =
         permit_mynetworks,permit_sasl_authenticated,
         check_helo_access pcre:/etc/postfix/allow_broken_bad_helo_hosts,
         reject_maps_rbl, reject_unknown_client,
         reject_invalid_hostname, reject_unknown_hostname,
         reject_unknown_sender_domain,reject_non_fqdn_sender,
         reject_non_fqdn_recipient,reject_unauth_pipelining

Our normal case is to check some exceptions by helo message, then process
the rbl, then to check the reverse resolution of the client, then do all of
the other checks.

specialcustomer =
         permit_mynetworks,permit_sasl_authenticated,
         check_sender_access
pcre:/etc/postfix/allow_specialcustomer_some_senders,
         check_helo_access pcre:/etc/postfix/allow_broken_bad_helo_hosts,
         reject_maps_rbl, reject_unknown_client,
         reject_invalid_hostname, reject_unknown_hostname,
         reject_unknown_sender_domain,reject_non_fqdn_sender,
         reject_non_fqdn_recipient,reject_unauth_pipelining

For out special customer, the first thing we do is check the RFC821 senders
against the exception lists, then our regular list of filtering and
checks. The point is that this happens in order - if they match the
sender_access and the sender_access says OK, then we will never check the rbl.

permissive =
         permit_mynetworks,permit_sasl_authenticated,
         check_helo_access pcre:/etc/postfix/allow_broken_bad_helo_hosts,
         reject_non_fqdn_recipient

This is what we do for abuse and postmaster - as long as they tell us
exactly which postmaster or abuse they want, we will accept the mail. We
do still check_relay_domains and allow_mynetworks, so that we do not relay
for people who want us to send to postmaster anywhere.

/etc/postfix/recipients gets the following:

[rootparrot root]# cat /etc/postfix/recipients
/^postmaster\.*$/ permissive
/^abuse\.*$/ permissive
/^specialcustomer\customerdomain.com$/ specialcustomer
/^.*$/ restrictive
[rootparrot root]#

[rootparrot root]# cat /etc/postfix/allow_specialcustomer_some_senders
/^exception1\exception1domain\.com$/ OK
/^exception2\exception2domain\.com$/ OK
[rootparrot root]#

[rootparrot root]# cat /etc/postfix/allow_broken_bad_helo_hosts
# Allow hosts that claim to be issue helo messages but are RFC Ignorant
and important
# enough that I do not want to just bounce their mail
/\.stupid-isp\.net$/ OK
/^baddomain\.in\.aol\.com$/ OK
/\.broken\.edu$/ OK
[rootparrot root]#

If you follow this cookbook, do exactly what I do here, I think this is
everything you need to do. This actually works for me, I changed the names
to protect the innocent. If you do the regexps in
allow_specialcustomer_some_senders so that they do not pay attention to the
localpart, you can allow whole domains in just for that customer.

Is this clear? Just do everything in smtpd_recipient_restrictions. A verb
that performs a certain check on a helo message will always perform that
check on the helo message no matter which list it is specified in,
specifying it in more than one place is a waste.

Until you get this right, specify
soft_bounce = yes

and

notify_classes = policy,protocol

which will not push back 5xx return codes and will send postmaster e-mail
when something bounces either from policy or because they are clueless.

--
War is an ugly thing, but it is not the ugliest of things. The decayed and 
degraded state of moral and patriotic feeling which thinks that nothing is 
worth war is much worse. A man who has nothing for which he is willing to 
fight, nothing he cares about more than his own personal safety, is a 
miserable creature who has no chance of being free, unless made so by the 
exertions of better men than himself. -- John Stuart Mill
Nick Simicich - njsscifi.squawk.com
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]