|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: restrict sending of mails
From: /dev/rob0 (rob0
gmx.co.uk)
Date: Thu Nov 24 2005 - 14:56:36 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Please don't top-post your replies. Thank you.
On Wednesday 2005-November-23 15:12, Robert Cerny wrote:
> thanks for reply. This is output of postconf -n:
> smtpd_client_restrictions = reject_maps_rbl
This is deprecated, and probably does nothing without maps_rbl_domains
set, which you do not have set. The "new" (Postfix 2.0?) way to do this
is with "reject_rbl_client your.chosen.RBL" restrictions in one of the
smtpd_*_restrictions stages.
> smtpd_delay_reject = yes
> smtpd_enforce_tls = no
These are both default settings, and as such, not needed in your
main.cf. You should remove them.
snip
> smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/
> restricted_senders, permit_sasl_authenticated, permit_mynetworks,
> reject_unauth_destination, permit
So the first restriction is the restricted_senders sender lookup. This
includes envelope senders from untrusted remote clients. Might not hurt
anything, but definitely something to be aware of.
> smtpd_restriction_classes = local_only
snip
> local_only =
> check_recipient_access hash:/etc/postfix/local_domains, reject
>
> I did create two files:
> /etc/postfix/restricted_senders
> rcernymydomain.com local_only
Let's say "example" rather than "mydomain", unless you happen to be
Dotster.com of Vancouver, Washington USA.
And if someone from an untrusted client forges your sender address,
rcernyexample.com, they go into your local_only restriction class.
> /etc/postfix/local_domains
> gmail.com REJECT
At least no harm is done here. But look, you've got what amounts to a
total reject restriction. If recipient is gmail.com, reject;
otherwise, reject. Is that the problem you hit? If so, try adding a
"permit_sasl_authenticated, permit_mynetworks" into your local_only
restriction class before the reject.
I like modularity, so I would use another restriction class, called
"relay_allowed":
main.cf:
[ ... ]
smtpd_restriction_classes = local_only, relay_allowed
relay_allowed = permit_sasl_authenticated, permit_mynetworks
local_only = check_recipient_access hash:/etc/postfix/local_domains,
relay_allowed, reject
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
relay_allowed, reject_unauth_destination, permit
[...]
But that's just me.
On Thursday 2005-November-24 04:02, Robert Cerny wrote:
> On 24.11.2005, at 0:01, mouss wrote:
> >> I'm trying to restrict sending of emails to some domains
> >> (gmail.com, hotmail.com, etc.) for some users.
> >
> > just out of curiosity: why? I can understand that some people
> > restrict some of their people to only send to local domains and
> > other such configs, but I've never thought of allowing people mail
> > to all but some domains. if you have a real use case for this, I'd
> > like to get the rationale.
> I'm just an admin who was asked to make such a configuration. I can
> find 10+ workarounds to send email to protected sites, but it's not
> my business to discuss wishes of my boss ;)
Sure it is. When bosses tell you they want to do something stupid or
wrong, we have a professional responsibility to tell them so. It's not
always easy, but it's what everyone should do. Even in non-professional
contexts, if something someone in power wants you to do is wrong, you
should not do it.
The moral angle could lead off-topic, but I think the professional one
is fully applicable to this list, as bosses often seem to ask for the
wrong things, based on their lack of understanding of how Internet mail
should work. That may or may not be the case here.
> Anyway, the reason is simple - the company is providing something
> similar to google/adsense system and simply don't want to point their
> customers to it.
You'll be blocking them from one (or more) of the largest freemail
providers. It's not really a moral issue because your company can
decide what service it wishes to provide, and if that service does not
include access to large freemail services, *caveat emptor*.
You should, however, make this clear in your ToS agreement. It would
also be a good idea to remind your users why they're being rejected:
local_domains:
gmail.com REJECT Not allowed access to/from gmail.com
hotmail.com REJECT Not allowed access to/from hotmail.com
[ ... ]
Note the "to/from" ... you probably also want to call this file as a
check_sender_access restriction. Why accept mail that your users would
not be able to reply to?
main.cf:
[ ... ]
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/local_domains,
check_sender_access hash:/etc/postfix/restricted_senders,
relay_allowed, reject_unauth_destination, permit
[...]
I'm not sure "local_only" and "local_domains" are proper names for
these, but it can be made to work even with completely obfuscated
naming conventions. :)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]