That's not a very friendly answer :-(.

Well let's have a look :

> -----Original Message-----
> From: Michael Tokarev [mailto:mjttls.msk.ru]
> Sent: mercredi 24 juillet 2002 12:48
> To: postfix-userspostfix.org
> Subject: Re: check_sender_access
>
>
> "Alain Delava (Trasys)" wrote:
> >
> > Hi there,
> >
> > I have set up a small mail relay that relays emails only between a
> > restricted set of domains. Therefore, I check_relay_domains
> to permit
> > relaying only to the identified domains (it checks the
> rfc821 To: field)
> > and check_sender_access to check the from: field.
>
> Nope, all smtpd_*_restrictions works with (checks) *envelope*
> information
> at SMTP level, smtpd has NOTHING to do with email headers and
> with To/From
> fields in particular.

Ok, "field" is not the correct word, but RFC821 = enveloppe = adresses
used during the SMTP transaction (not the headers, so "To: field" is
indeed not very clear ; anyway this is what I want and it works.

 
> > relay_domains = $config_directory/allowed-recipient-domains
> > smtpd_client_restrictions = check_client_access
> > hash:/etc/postfix/allowed-smtp-clients, reject
> > # only mail servers listed in allowed-smtp-clients
> can relay through me
>
> Nope. Only mail servers listed in allowed-smtp-clients can
> USE your mail server,
> or can CONNECT to it.

Again, the comment is not very clear but that is also what I want, only
allowed-recipient-domains can connect to me or use me, so only them can
relay through me :-) (i can get mails only from that list of servers).
 
> > smtpd_recipient_restrictions = reject_unauth_destination,
> > check_relay_domains
> > # a mail is relayed by me ONLY if the destination
> domain (in the TO:
> > field)
> > # matches one of the allowed-recipient-domains file
>
> Nope. Again, this restriction has nothing to do with To/From
> Fields in
> message headers. Also, those two restriction primitives
> (reject_unauth_destination
> and check_relay_domains) are redundrand - only one is enouth,
> second is a noop.

Same remark ; ok for your comment about the redundant rules, but I tried
check_relay_domains alone and it didn't do it, perhaps should I have a
"reject" right after ?
 
> > smtpd_sender_restrictions = check_sender_access
> > hash:/etc/postfix/allowed-sender-domains, reject
> > # a mail is relayed by me ONLY if the sender domain
> (in the FROM:
> > field)
> > # matches one of the allowed-sender-domains file
>
> Nope - again headers vs envelope.

Same remark. RFC821 = enveloppe ; RFC822 = headers, I know that.
 
> > This works well but I just noticed that return receipts generated by
> > Exchange servers have a rfc821 FROM: which is empty (rfc822
> FROM: is not
> > empty, something like POSTMASTERexchange.domain).
>
> Nope, envelope sender IS empty (see below your log).

Yup, that's the RFC821 "mail from:" command in the SMTP transaction,
that's I wanted to say.
 
> > Therefore I get rejected mails :
> >
> > Jul 23 14:35:40 ME postfix/smtpd[14846]: reject: RCPT from
> > exchange.domain [123.123.123.123]: 554 <>: Sender address rejected:
> > Access denied; from=<> to=<someoneallowed.domain>
>
> This is due to your sender_restrictions. You should allow empty
> envelope sender in your allowed-sender-domains.

How can I do that ? Oh yes on the mailing list we like constructive
answers ;-)
 
> > Any idea on how I could solve that problem without removing my
> > smtpd_sender_restrictions ?
>
> I highly suggest you to remove ALL but the
> smtpd_recipient_restrictions
> and place all your checks in there. Until you will be more familiar
> with all the things involved here.

Ok, you could also ask me to RTFM :) (but I did). So what would suggest
for this behaviour :
- only accept mails from a list of servers (known by IP)(or name if you
want)
- and only accept to relay mails from identified domains (and with empty
envelopes!)
- and only accept to relay mails to identified domains
- everything else is rejected.

That's what my so-poor-setup does, but if you have better suggesttions
they are of course welcome.

/Alain
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]